diff --git a/devel/cargo-c/Makefile b/devel/cargo-c/Makefile index 85f1ee12df0bce..a5cd750124ba56 100644 --- a/devel/cargo-c/Makefile +++ b/devel/cargo-c/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cargo-c -PKG_VERSION:=0.9.32 +PKG_VERSION:=0.10.8 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/lu-zero/cargo-c/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=a96f3cc6c63d9901c9583083338d50b0132504bb067f68accc17f4116ed01f72 +PKG_HASH:=2c7bfff50e9c11801c92280f34f7d308857652b0c3875d0fd0906167623414ac PKG_MAINTAINER:=Luca Barbato PKG_LICENSE:=MIT diff --git a/lang/lua-ffi/Makefile b/lang/lua-ffi/Makefile index b31e769bc48dbe..3edf4d4e6d3c78 100644 --- a/lang/lua-ffi/Makefile +++ b/lang/lua-ffi/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lua-ffi -PKG_VERSION:=1.0.0 +PKG_VERSION:=1.1.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL=https://github.com/zhaojh329/lua-ffi/releases/download/v$(PKG_VERSION) -PKG_HASH:=e26a8ed685c1aa31566683e3c06b057fd9ae6c7eec9922abe7661eeb678f1cd8 +PKG_HASH:=85651aa772de5717b85fc6ac9bba61f0dc20155707fad8099245f97ecd301996 PKG_MAINTAINER:=Jianhui Zhao PKG_LICENSE:=MIT diff --git a/lang/rust/Makefile b/lang/rust/Makefile index b4b6285e7de2e3..ab5436741230fe 100644 --- a/lang/rust/Makefile +++ b/lang/rust/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rust -PKG_VERSION:=1.81.0 +PKG_VERSION:=1.84.0 PKG_RELEASE:=1 PKG_SOURCE:=rustc-$(PKG_VERSION)-src.tar.gz PKG_SOURCE_URL:=https://static.rust-lang.org/dist/ -PKG_HASH:=872448febdff32e50c3c90a7e15f9bb2db131d13c588fe9071b0ed88837ccfa7 +PKG_HASH:=15cee7395b07ffde022060455b3140366ec3a12cbbea8f1ef2ff371a9cca51bf HOST_BUILD_DIR:=$(BUILD_DIR)/host/rustc-$(PKG_VERSION)-src PKG_MAINTAINER:=Luca Barbato diff --git a/libs/libedit/Makefile b/libs/libedit/Makefile index 56852bc38b045e..8aaa258076dd3a 100644 --- a/libs/libedit/Makefile +++ b/libs/libedit/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk VERSION:=3.1 -RELEASE_DATE:=20240808 +RELEASE_DATE:=20250104 PKG_NAME:=libedit PKG_VERSION:=$(RELEASE_DATE).$(VERSION) @@ -20,7 +20,7 @@ PKG_LICENSE:=BSD-3-Clause PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(RELEASE_DATE)-$(VERSION) PKG_SOURCE:=$(PKG_NAME)-$(RELEASE_DATE)-$(VERSION).tar.gz PKG_SOURCE_URL:=https://thrysoee.dk/editline/ -PKG_HASH:=5f0573349d77c4a48967191cdd6634dd7aa5f6398c6a57fe037cc02696d6099f +PKG_HASH:=23792701694550a53720630cd1cd6167101b5773adddcb4104f7345b73a568ac PKG_INSTALL:=1 diff --git a/libs/liburcu/Makefile b/libs/liburcu/Makefile index 70ad97d2abd730..76e1fde61081b8 100644 --- a/libs/liburcu/Makefile +++ b/libs/liburcu/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=liburcu -PKG_VERSION:=0.14.1 +PKG_VERSION:=0.15.0 PKG_RELEASE:=1 PKG_MAINTAINER:=Daniel Salzman @@ -18,7 +18,7 @@ PKG_LICENSE_FILES:=lgpl-2.1.txt gpl-2.0.txt lgpl-relicensing.txt PKG_SOURCE:=userspace-rcu-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://lttng.org/files/urcu/ -PKG_HASH:=231acb13dc6ec023e836a0f0666f6aab47dc621ecb1d2cd9d9c22f922678abc0 +PKG_HASH:=4f2d839af67905ad396d6d53ba5649b66113d90840dcbc89941e0da64bccd38c PKG_BUILD_DIR:=$(BUILD_DIR)/userspace-rcu-$(PKG_VERSION) PKG_FIXUP:=autoreconf diff --git a/libs/liburcu/patches/010-no-tests.patch b/libs/liburcu/patches/010-no-tests.patch index 2efade1198c5e3..af6e4daa637062 100644 --- a/libs/liburcu/patches/010-no-tests.patch +++ b/libs/liburcu/patches/010-no-tests.patch @@ -1,10 +1,11 @@ --- a/Makefile.am +++ b/Makefile.am -@@ -1,6 +1,6 @@ +@@ -4,7 +4,7 @@ + ACLOCAL_AMFLAGS=-I m4 -SUBDIRS = include src doc tests extras +SUBDIRS = include src - dist_doc_DATA = LICENSE \ - README.md + dist_doc_DATA = \ + LICENSE.md \ diff --git a/net/acme-acmesh/Makefile b/net/acme-acmesh/Makefile index 5d2f0d7654e5db..6bf861280d8251 100644 --- a/net/acme-acmesh/Makefile +++ b/net/acme-acmesh/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-acmesh -PKG_VERSION:=3.0.7 -PKG_RELEASE:=2 +PKG_VERSION:=3.1.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)? -PKG_HASH:=abd446d6bd45d0b44dca1dcbd931348797a3f82d1ed6fb171472eaf851a8d849 +PKG_HASH:=5bc8a72095e16a1a177d1a516728bbd3436abf8060232d5d36b462fce74447aa PKG_BUILD_DIR:=$(BUILD_DIR)/acme.sh-$(PKG_VERSION) PKG_MAINTAINER:=Toke Høiland-Jørgensen diff --git a/net/antiblock/Makefile b/net/antiblock/Makefile new file mode 100644 index 00000000000000..f8101fb21a61ce --- /dev/null +++ b/net/antiblock/Makefile @@ -0,0 +1,48 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=antiblock +PKG_VERSION:=2.0.0 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/karen07/antiblock +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_MIRROR_HASH:=3ea495e825edb75bc0bec9010d4b0195442dbcc745fc4d3150ae41ca11e9dfc4 + +PKG_MAINTAINER:=Khachatryan Karen +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=LICENSE + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/antiblock + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libcurl + TITLE:=AntiBlock + URL:=https://github.com/karen07/antiblock +endef + +define Package/antiblock/description + AntiBlock program proxies DNS requests. + The IP addresses of the specified domains are added to + the routing table for routing through the specified interface. +endef + +define Package/antiblock/conffiles +/etc/config/antiblock +endef + +define Package/antiblock/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/antiblock $(1)/usr/bin/antiblock + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/etc/init.d/antiblock $(1)/etc/init.d/antiblock + + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/etc/config/antiblock $(1)/etc/config/antiblock +endef + +$(eval $(call BuildPackage,antiblock)) diff --git a/net/antiblock/files/etc/config/antiblock b/net/antiblock/files/etc/config/antiblock new file mode 100644 index 00000000000000..cc31500f00c0a0 --- /dev/null +++ b/net/antiblock/files/etc/config/antiblock @@ -0,0 +1,14 @@ + +#config antiblock 'config' + #option enabled '0' + #At least one parameters needs to be filled: + #option url 'https://antifilter.download/list/domains.lst' + #option file '/root/my_urls.txt' + #Required parameters: + #option listen '192.168.1.1:5053' + #option DNS '1.1.1.1:53' + #option VPN_name 'VPN' + #Optional parameters: + #option log '1' + #option stat '1' + #option output '/tmp/antiblock' diff --git a/net/antiblock/files/etc/init.d/antiblock b/net/antiblock/files/etc/init.d/antiblock new file mode 100644 index 00000000000000..85d29bf8ee3be4 --- /dev/null +++ b/net/antiblock/files/etc/init.d/antiblock @@ -0,0 +1,83 @@ +#!/bin/sh /etc/rc.common + +USE_PROCD=1 +START=99 + +CONF="antiblock" + +start_service() { + config_load "$CONF" + + local _enabled + config_get_bool _enabled "config" "enabled" "0" + [ "${_enabled}" -eq "0" ] && return 1 + + echo "AntiBlock start" + + local _url + local _file + local _listen + local _DNS + local _VPN_name + local _log + local _stat + local _output + + config_get _url "config" "url" + config_get _file "config" "file" + + config_get _listen "config" "listen" + config_get _DNS "config" "DNS" + config_get _VPN_name "config" "VPN_name" + + config_get_bool _log "config" "log" "0" + config_get_bool _stat "config" "stat" "0" + config_get _output "config" "output" + + procd_open_instance "$CONF" + + procd_set_param command "/usr/bin/antiblock" + procd_set_param stdout 1 + procd_set_param stderr 1 + + [ -n "${_url}" ] && procd_append_param command -url "${_url}" + [ -n "${_file}" ] && procd_append_param command -file "${_file}" + + if [ -n "${_listen}" ]; then + local listen_IP="$(echo "${_listen}" | cut -d ':' -f1)" + local listen_port="$(echo "${_listen}" | cut -d ':' -f2)" + uci -q set dhcp.@dnsmasq[0].noresolv="1" + uci -q delete dhcp.@dnsmasq[0].server + uci -q add_list dhcp.@dnsmasq[0].server="$listen_IP#$listen_port" + + procd_append_param command -listen "${_listen}" + fi + [ -n "${_DNS}" ] && procd_append_param command -DNS "${_DNS}" + if [ -n "${_VPN_name}" ]; then + local gateway="$(uci -q get network."${_VPN_name}".addresses | cut -d '/' -f1)" + procd_append_param command -gateway "$gateway" + fi + + [ "${_log}" -ne "0" ] && procd_append_param command -log + [ "${_stat}" -ne "0" ] && procd_append_param command -stat + if [ -n "${_output}" ]; then + mkdir -p "${_output}" + procd_append_param command -output "${_output}" + fi + + procd_close_instance + + /etc/init.d/dnsmasq restart >/dev/null 2>&1 +} + +stop_service() { + echo "AntiBlock stop" + + uci -q revert dhcp.@dnsmasq[0] + + /etc/init.d/dnsmasq restart >/dev/null 2>&1 +} + +service_triggers() { + procd_add_reload_trigger "$CONF" +} diff --git a/net/antiblock/test.sh b/net/antiblock/test.sh new file mode 100644 index 00000000000000..6c9cb663dc44b2 --- /dev/null +++ b/net/antiblock/test.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +antiblock | grep "AntiBlock started" diff --git a/net/banip/Makefile b/net/banip/Makefile index 62107c58c50b34..4c2e5030ca3802 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,12 +1,12 @@ # banIP - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.0.1 -PKG_RELEASE:=2 +PKG_VERSION:=1.5.0 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 9a1060f27e0ed2..075f89fefb51e8 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -7,62 +7,63 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## Main Features * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). -**Please note:** By default every feed blocks packet traversal in all supported chains, the table columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios: +**Please note:** By default, each feed blocks the packet flow in the chain shown in the table below. _Inbound_ combines the chains WAN-Input and WAN-Forward, _Outbound_ represents the LAN-FWD chain: * WAN-INP chain applies to packets from internet to your router * WAN-FWD chain applies to packets from internet to other local devices (not your router) * LAN-FWD chain applies to local packets going out to the internet (not your router) - For instance the first entry should be limited to the LAN forward chain - just set the 'LAN-Forward Chain' option under the 'Feed/Set Seetings' config tab accordingly. - -| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit | Information | -| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- | -| adaway | adaway IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) | -| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | -| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) | -| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) | -| bogon | bogon prefixes | x | x | x | | [Link](https://team-cymru.com) | -| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) | -| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) | -| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) | -| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) | -| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | -| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) | -| dshield | dshield IP blocklist | x | x | | | [Link](https://www.dshield.org) | -| etcompromised | ET compromised hosts | x | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) | -| feodo | feodo tracker | x | x | | | [Link](https://feodotracker.abuse.ch) | -| firehol1 | firehol level 1 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | -| firehol2 | firehol level 2 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | -| firehol3 | firehol level 3 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | -| firehol4 | firehol level 4 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | -| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) | -| hagezi | Threat IP blocklist | | | x | tcp: 80, 443 | [Link](https://github.com/hagezi/dns-blocklists) | -| ipblackhole | blackhole IPs | x | x | | | [Link](https://github.com/BlackHoleMonster/IP-BlackHole) | -| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) | -| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) | -| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) | -| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) | -| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) | -| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | -| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) | -| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) | -| threatview | malicious IPs | x | x | | | [Link](https://threatview.io) | -| tor | tor exit nodes | x | x | x | | [Link](https://www.dan.me.uk) | -| turris | turris sentinel blocklist | x | x | | | [Link](https://view.sentinel.turris.cz) | -| uceprotect1 | spam protection level 1 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | -| uceprotect2 | spam protection level 2 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | -| uceprotect3 | spam protection level 3 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | -| urlhaus | urlhaus IDS IPs | x | x | | | [Link](https://urlhaus.abuse.ch) | -| urlvir | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=urlvir) | -| webclient | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | -| voip | VoIP fraud blocklist | x | x | | | [Link](https://voipbl.org) | -| yoyo | yoyo IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | + The listed standard assignments can be changed to your needs under the 'Feed/Set Settings' config tab. + +| Feed | Focus | Inbound | Outbound | Proto/Port | Information | +| :------------------ | :----------------------------- | :-----: | :------: | :----------: | :----------------------------------------------------------- | +| adaway | adaway IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguard | adguard IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguardtrackers | adguardtracker IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| antipopads | antipopads IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| asn | ASN segments | x | | | [Link](https://asn.ipinfo.app) | +| backscatterer | backscatterer IPs | x | | | [Link](https://www.uceprotect.net/en/index.php) | +| becyber | malicious attacker IPs | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) | +| binarydefense | binary defense banlist | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) | +| bogon | bogon prefixes | x | | | [Link](https://team-cymru.com) | +| bruteforceblock | bruteforceblocker IPs | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) | +| country | country blocks | x | | | [Link](https://www.ipdeny.com/ipblocks) | +| cinsscore | suspicious attacker IPs | x | | | [Link](https://cinsscore.com/#list) | +| debl | fail2ban IP blacklist | x | | | [Link](https://www.blocklist.de) | +| doh | public DoH-Provider | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | +| drop | spamhaus drop compilation | x | | | [Link](https://www.spamhaus.org) | +| dshield | dshield IP blocklist | x | | | [Link](https://www.dshield.org) | +| etcompromised | ET compromised hosts | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) | +| feodo | feodo tracker | x | | | [Link](https://feodotracker.abuse.ch) | +| firehol1 | firehol level 1 compilation | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | +| firehol2 | firehol level 2 compilation | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | +| firehol3 | firehol level 3 compilation | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | +| firehol4 | firehol level 4 compilation | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | +| greensnow | suspicious server IPs | x | | | [Link](https://greensnow.co) | +| hagezi | Threat IP blocklist | | x | tcp: 80, 443 | [Link](https://github.com/hagezi/dns-blocklists) | +| ipblackhole | blackhole IPs | x | | | [Link](https://github.com/BlackHoleMonster/IP-BlackHole) | +| ipsum | malicious IPs | x | | | [Link](https://github.com/stamparm/ipsum) | +| ipthreat | hacker and botnet TPs | x | | | [Link](https://ipthreat.net) | +| myip | real-time IP blocklist | x | | | [Link](https://myip.ms) | +| nixspam | iX spam protection | x | | | [Link](http://www.nixspam.org) | +| oisdbig | OISD-big IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| oisdnsfw | OISD-nsfw IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| oisdsmall | OISD-small IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| pallebone | curated IP blocklist | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) | +| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | +| stevenblack | stevenblack IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| threat | emerging threats | x | | | [Link](https://rules.emergingthreats.net) | +| threatview | malicious IPs | x | | | [Link](https://threatview.io) | +| tor | tor exit nodes | x | | | [Link](https://www.dan.me.uk) | +| turris | turris sentinel blocklist | x | | | [Link](https://view.sentinel.turris.cz) | +| uceprotect1 | spam protection level 1 | x | | | [Link](https://www.uceprotect.net/en/index.php) | +| uceprotect2 | spam protection level 2 | x | | | [Link](https://www.uceprotect.net/en/index.php) | +| uceprotect3 | spam protection level 3 | x | | | [Link](https://www.uceprotect.net/en/index.php) | +| urlhaus | urlhaus IDS IPs | x | | | [Link](https://urlhaus.abuse.ch) | +| urlvir | malware related IPs | x | | | [Link](https://iplists.firehol.org/?ipset=urlvir) | +| webclient | malware related IPs | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | +| voip | VoIP fraud blocklist | x | | | [Link](https://voipbl.org) | +| vpn | vpn IPs | x | | | [Link](https://github.com/X4BNet/lists_vpn) | +| vpndc | vpn datacenter IPs | x | | | [Link](https://github.com/X4BNet/lists_vpn) | +| yoyo | yoyo IPs | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * Zero-conf like automatic installation & setup, usually no manual changes needed * All Sets are handled in a separate nft table/namespace 'banIP' @@ -79,13 +80,13 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Auto-add entire subnets to the blocklist Set based on an additional RDAP request with the monitored suspicious IP * Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware) -* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains) +* Per feed it can be defined whether the inbound chain (wan-input, wan-forward) or the outbound chain (lan-forward) should be blocked * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith * Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds -* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains +* Optionally always allow certain protocols/destination ports in the inbound chain * Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information * Provides a detailed Set report @@ -107,7 +108,6 @@ IP address blocking is commonly used to protect against brute force attacks, pre **Please note:** * Devices with less than 256MB of RAM are **_not_** supported -* Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed) ## Installation & Usage * Update your local opkg repository (_opkg update_) @@ -155,13 +155,12 @@ Available commands: | ban_logreadfile | option | /var/log/messages | alternative location for parsing a log file via tail, to deactivate the standard parsing via logread | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | -| ban_icmplimit | option | 10 | threshold in number of packets to detect icmp DoS in prerouting chain. A value of '0' disables this safeguard | -| ban_synlimit | option | 10 | threshold in number of packets to detect syn DoS in prerouting chain. A value of '0' disables this safeguard | -| ban_udplimit | option | 100 | threshold in number of packets to detect udp DoS in prerouting chain. A value of '0' disables this safeguard | +| ban_icmplimit | option | 10 | threshold in number of packets to detect icmp DoS in prerouting chain. A value of '0' disables this safeguard | +| ban_synlimit | option | 10 | threshold in number of packets to detect syn DoS in prerouting chain. A value of '0' disables this safeguard | +| ban_udplimit | option | 100 | threshold in number of packets to detect udp DoS in prerouting chain. A value of '0' disables this safeguard | | ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain | -| ban_loginput | option | 0 | log supsicious packets in the wan-input chain | -| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain | -| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain | +| ban_loginbound | option | 0 | log supsicious packets in the inbound chain (wan-input and wan-forward) | +| ban_logoutbound | option | 0 | log supsicious packets in the outbound chain (lan-forward) | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | @@ -170,8 +169,9 @@ Available commands: | ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' | | ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists | | ban_basedir | option | /tmp | base working directory while banIP processing | -| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | -| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | +| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores report files | +| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores compressed backup files | +| ban_errordir | option | /tmp/banIP-error | directory where banIP stores processing error files | | ban_protov4 | option | - / autodetect | enable IPv4 support | | ban_protov6 | option | - / autodetect | enable IPv6 support | | ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | @@ -181,22 +181,27 @@ Available commands: | ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 | | ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' | | ban_triggerdelay | option | 20 | trigger timeout during interface reload and boot | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets (see optional feed flag 'dup' below) | | ban_splitsize | option | 0 | split the processing/loading of Sets in chunks of n lines/members (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | | ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) | | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | +| ban_nftretry | option | 5 | number of Set load attempts in case of an error | +| ban_nftcount | option | 0 | enable nft counter for every Set element | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_asnsplit | option | - | the selected ASNs are stored in separate Sets | | ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | -| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | +| ban_countrysplit | option | - | the selected countries are stored in separate Sets | | ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | -| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | -| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | -| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | +| ban_feedin | list | - | limit the selected feeds to the inbound chain (wan-input and wan-forward) | +| ban_feedout | list | - | limit the selected feeds to the outbound chain (lan-forward) | +| ban_feedinout | list | - | set the selected feeds to the inbound and outbound chain (lan-forward) | +| ban_feedreset | list | - | override the default feed configuration and remove existing port/protocol limitations | +| ban_feedcomplete | list | - | opt out the selected feeds from the deduplication process | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | | ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | @@ -218,88 +223,94 @@ Available commands: ::: ::: banIP Set Statistics ::: - Timestamp: 2024-04-17 23:02:15 + Timestamp: 2025-01-13 22:08:39 ------------------------------ - blocked syn-flood packets : 5 - blocked udp-flood packets : 11 - blocked icmp-flood packets : 6 - blocked invalid ct packets : 277 + blocked syn-flood packets : 0 + blocked udp-flood packets : 0 + blocked icmp-flood packets : 0 + blocked invalid ct packets : 1 blocked invalid tcp packets: 0 --- auto-added IPs to allowlist: 0 auto-added IPs to blocklist: 0 - Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit + Set | Count | Inbound (packets) | Outbound (packets) | Port/Protocol | Elements ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - allowlistv4MAC | 0 | - | - | ON: 0 | - - allowlistv6MAC | 0 | - | - | ON: 0 | - - allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | - - allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | - - adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443 - adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443 - becyberv4 | 229006 | ON: 2254 | ON: 0 | - | - - cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | - - deblv4 | 10191 | ON: 23 | ON: 0 | - | - - countryv6 | 38233 | ON: 7 | ON: 0 | - | - - countryv4 | 37169 | ON: 2323 | ON: 0 | - | - - deblv6 | 65 | ON: 0 | ON: 0 | - | - - dropv6 | 66 | ON: 0 | ON: 0 | - | - - dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443 - dropv4 | 895 | ON: 75 | ON: 0 | - | - - dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443 - threatv4 | 20 | ON: 0 | ON: 0 | - | - - firehol1v4 | 753 | ON: 1 | ON: 0 | - | - - ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | - - firehol2v4 | 2216 | ON: 1 | ON: 0 | - | - - turrisv4 | 5613 | ON: 179 | ON: 0 | - | - - blocklistv4MAC | 0 | - | - | ON: 0 | - - blocklistv6MAC | 0 | - | - | ON: 0 | - - blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | - - blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | - + allowlist_v4MAC | 0 | - | ON: 0 | - | - + allowlist_v6MAC | 0 | - | ON: 0 | - | - + allowlist_v4 | 1 | ON: 0 | ON: 0 | - | - + allowlist_v6 | 2 | ON: 0 | ON: 0 | - | - + cinsscore_v4 | 11984 | ON: 5 | - | - | 66.240.205.34, 137.184.2 + | | | | | 4.204, 185.224.3.227, 18 + | | | | | 9.179.109.68, 193.200.78 + | | | | | .3 + country_v6 | 22188 | ON: 0 | - | - | - + country_v4 | 34925 | ON: 3 | - | - | 43.255.244.0(r), 205.210 + | | | | | .31.0(r), 222.16.0.0(r), + | | | | | 185.242.224.0(p) + debl_v4 | 13646 | ON: 0 | - | - | - + debl_v6 | 131 | ON: 0 | - | - | - + doh_v6 | 1218 | - | ON: 0 | tcp: 80, 443 | - + doh_v4 | 1756 | - | ON: 0 | tcp: 80, 443 | - + threat_v4 | 943 | ON: 2 | - | - | 45.142.193.0(p), 141.98. + | | | | | 10.0(p) + turris_v4 | 8017 | ON: 1 | - | - | 78.128.113.38 + blocklist_v4MAC | 0 | - | ON: 0 | - | - + blocklist_v6MAC | 0 | - | ON: 0 | - | - + blocklist_v4 | 0 | ON: 0 | ON: 0 | - | - + blocklist_v6 | 0 | ON: 0 | ON: 0 | - | - ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - 25 | 335706 | 17 (6513) | 17 (2) | 12 (0) + 17 | 94811 | 11 (11) | 10 (0) | 2 | 12 ``` **banIP runtime information** ``` +~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.9.6-r1 - + element_count : 108036 - + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + + version : 1.5.0-r1 + + element_count : 94811 + + active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, country.v6, country.v4, debl.v4, debl.v6, doh.v6, doh.v4, threat.v4, turris.v4, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - - + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8 - + nft_info : priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 10/10/100 - + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report - + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ - + last_run : action: reload, log: logread, fetch: curl, duration: 1m 21s, date: 2024-05-27 05:56:29 - + system_info : cores: 4, memory: 1661, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r26353-a96354bcfb + + active_uplink : 81.63.213.211, fe80::687c:205:a02c:f879, 2004:fc:35ff:3f2:493c:205:a02c:f779 + + nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 10/10/100 + + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error + + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✘/✘/✘, count: ✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ + + last_run : mode: restart, period: 0m 11s, memory: 1402 MB available, 1792 KB max. used, cores: 4, log: logread, fetch: wget + + system_info : 2025-01-13 22:07:32, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r28560-3f87c5ac42 ``` **banIP search information** ``` -~# /etc/init.d/banip search 221.228.105.173 +~# /etc/init.d/banip search 8.8.8.8 ::: ::: banIP Search ::: - Looking for IP '221.228.105.173' on 2023-02-08 22:12:48 + Looking for IP '8.8.8.8' on 2025-01-13 22:13:36 --- - IP found in Set 'oisdbasicv4' + IP found in Set 'country.v4' + IP found in Set 'doh.v4' ``` **banIP survey information** ``` -~# /etc/init.d/banip survey cinsscorev4 +~# /etc/init.d/banip survey doh.v4 ::: ::: banIP Survey ::: - List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58 + List of elements in the Set 'doh.v4' on 2025-01-13 22:35:57 --- -1.10.187.179 -1.10.203.30 -1.10.255.58 -1.11.67.53 -1.11.114.211 +{ "range": [ "1.0.0.1", "1.0.0.3" ] } +{ "range": [ "1.1.1.1", "1.1.1.3" ] } +1.236.250.173 +2.58.59.12 +2.135.147.99 +3.9.180.22 +3.10.65.124 +3.15.159.180 +3.33.139.32 +3.33.242.199 +3.34.32.82 [...] ``` @@ -314,15 +325,14 @@ nftables supports the atomic loading of firewall rules (incl. elements), which i **Sensible choice of blocklists** The following feeds are just my personal recommendation as an initial setup: -* cinsscore, debl, turris in WAN-Input and WAN-Forward chain -* doh in LAN-Forward chain +* cinsscore, debl, turris and doh in their default chains -In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed in WAN-Input and WAN-Forward chain. +In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed. Please note: don't just blindly activate (too) many feeds at once, sooner or later this will lead to OOM conditions. **Log Terms for logfile parsing** Like fail2ban and crowdsec, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs. -In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well - just transfer the required regular expression via cut and paste to your config (without quotation marks): +In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well: ``` dropbear : 'Exit before auth from' LuCI : 'luci: failed login' @@ -343,7 +353,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **Allowlist-only mode** -banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the wan-input / wan-forward chain, to still allow lan-forward communication to the rest of the world. +banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. **MAC/IP-binding** banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. @@ -423,23 +433,24 @@ For a regular, automatic status mailing and update of the used lists on a daily **Redirect asterisk security logs to lodg/logread** By default banIP scans the logfile via logread, so to monitor attacks on asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running asterisk configuration. -**Change/add banIP feeds and port limitations** +**Change/add banIP feeds and set optional feed flags** The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. A valid JSON source object contains the following information, e.g.: ``` [...] -"stevenblack":{ + "stevenblack":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "stevenblack IPs", "flag": "tcp 80 443" }, [...] ``` -Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. -Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible. +Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex, the chain and the description for a new feed. +Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, 'dup' to opt out the feed from the deduplication process, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. **Debug options** Whenever you encounter banIP related processing problems, please check the "Processing Log" tab. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 71f9e572379228..79d55d21e21b1b 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1,5 +1,5 @@ # banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions @@ -15,6 +15,7 @@ export PATH="/usr/sbin:/usr/bin:/sbin:/bin" ban_basedir="/tmp" ban_backupdir="/tmp/banIP-backup" ban_reportdir="/tmp/banIP-report" +ban_errordir="/tmp/banIP-error" ban_feedfile="/etc/banip/banip.feeds" ban_countryfile="/etc/banip/banip.countries" ban_customfeedfile="/etc/banip/banip.custom.feeds" @@ -33,26 +34,28 @@ ban_mailreceiver="" ban_mailtopic="banIP notification" ban_mailprofile="ban_notify" ban_mailnotification="0" -ban_reportelements="1" ban_remotelog="0" ban_remotetoken="" ban_nftloglevel="warn" ban_nftpriority="-100" ban_nftpolicy="memory" ban_nftexpiry="" -ban_loglimit="100" +ban_nftretry="5" +ban_nftcount="0" ban_icmplimit="10" ban_synlimit="10" ban_udplimit="100" +ban_loglimit="100" ban_logcount="1" ban_logterm="" ban_region="" ban_country="" +ban_countrysplit="0" ban_asn="" +ban_asnsplit="0" ban_logprerouting="0" -ban_loginput="0" -ban_logforwardwan="0" -ban_logforwardlan="0" +ban_loginbound="0" +ban_logoutbound="0" ban_allowurl="" ban_allowflag="" ban_allowlistonly="0" @@ -64,11 +67,12 @@ ban_deduplicate="1" ban_splitsize="0" ban_autodetect="1" ban_feed="" -ban_blockpolicy="" -ban_blocktype="drop" -ban_blockinput="" -ban_blockforwardwan="" -ban_blockforwardlan="" +ban_feedin="" +ban_feedout="" +ban_feedinout="" +ban_feedcomplete="" +ban_feedreset="" +ban_blockpolicy="drop" ban_protov4="0" ban_protov6="0" ban_ifv4="" @@ -102,7 +106,7 @@ f_system() { ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | - "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')" + "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')" if [ -z "${ban_cores}" ]; then cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)" core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)" @@ -254,16 +258,16 @@ f_log() { f_conf() { local rir ccode region country - unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn + unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_feedin ban_feedout ban_feedinout ban_feedreset ban_feedcomplete ban_logterm ban_region ban_country ban_asn config_cb() { option_cb() { - local option="${1}" - local value="${2}" + local option="${1}" value="${2//\"/\\\"}" + eval "${option}=\"${value}\"" } list_cb() { - local option="${1}" - local value="${2}" + local option="${1}" value="${2//\"/\\\"}" + case "${option}" in "ban_ifv4") eval "${option}=\"$(printf "%s" "${ban_ifv4}")${value} \"" @@ -286,17 +290,23 @@ f_conf() { "ban_feed") eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" ;; - "ban_allowurl") - eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \"" + "ban_feedin") + eval "${option}=\"$(printf "%s" "${ban_feedin}")${value} \"" ;; - "ban_blockinput") - eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" + "ban_feedout") + eval "${option}=\"$(printf "%s" "${ban_feedout}")${value} \"" ;; - "ban_blockforwardwan") - eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \"" + "ban_feedinout") + eval "${option}=\"$(printf "%s" "${ban_feedinout}")${value} \"" ;; - "ban_blockforwardlan") - eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \"" + "ban_feedreset") + eval "${option}=\"$(printf "%s" "${ban_feedreset}")${value} \"" + ;; + "ban_feedcomplete") + eval "${option}=\"$(printf "%s" "${ban_feedcomplete}")${value} \"" + ;; + "ban_allowurl") + eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \"" ;; "ban_logterm") eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\"" @@ -330,7 +340,7 @@ f_conf() { f_actual() { local nft monitor ppid pids pid - if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then + if "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then nft="$(f_char "1")" else nft="$(f_char "0")" @@ -374,7 +384,6 @@ f_getfetch() { util="uclient-fetch" ;; esac - if [ -x "$(command -v "${util}")" ]; then ban_fetchcmd="$(command -v "${util}")" uci_set banip global ban_fetchcmd "${util}" @@ -386,7 +395,6 @@ f_getfetch() { fi [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found, please set 'ban_fetchcmd' manually" - case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" @@ -503,7 +511,7 @@ f_getdev() { # get local uplink # f_getuplink() { - local uplink iface ip update="0" + local uplink iface ip if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then for iface in ${ban_ifv4} ${ban_ifv6}; do @@ -521,27 +529,29 @@ f_getuplink() { elif [ "${ban_autoallowuplink}" = "ip" ]; then network_get_ipaddr6 uplink "${iface}" fi - if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + if [ -n "${uplink%fe80::*}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then ban_uplink="${ban_uplink}${uplink} " fi done + ban_uplink="$(f_trim "${ban_uplink}")" for ip in ${ban_uplink}; do if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then - if [ "${update}" = "0" ]; then - "${ban_sedcmd}" -i "/# uplink added on /d" "${ban_allowlist}" - fi - printf "%-45s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + "${ban_sedcmd}" -i "/# uplink added on /d" "${ban_allowlist}" + break + fi + done + date="$(date "+%Y-%m-%d %H:%M:%S")" + for ip in ${ban_uplink}; do + if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then + printf "%-45s%s\n" "${ip}" "# uplink added on ${date}" >>"${ban_allowlist}" f_log "info" "add uplink '${ip}' to local allowlist" - update="1" fi done - ban_uplink="$(f_trim "${ban_uplink}")" elif [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" = "disable" ]; then "${ban_sedcmd}" -i "/# uplink added on /d" "${ban_allowlist}" - update="1" fi - f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}" + f_log "debug" "f_getuplink ::: auto-allow/auto-uplink: ${ban_autoallowlist}/${ban_autoallowuplink}, uplink: ${ban_uplink:-"-"}" } # get feed information @@ -595,29 +605,51 @@ f_etag() { return "${out_rc}" } +# load file in nftset +# +f_nftload() { + local cnt="1" max_cnt="${ban_nftretry:-"5"}" feed_rc="0" file="${1}" errmsg="${2}" + + while ! "${ban_nftcmd}" -f "${file}" >/dev/null 2>&1; do + if [ "${cnt}" = "${max_cnt}" ]; then + [ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}" + "${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}" + f_log "info" "${errmsg} ("${ban_errordir}/err.${file##*/}")" + feed_rc="4" + break + fi + cnt="$((cnt + 1))" + done + f_log "debug" "f_nftload ::: file: ${file##*/}, cnt: ${cnt}, max_cnt: ${max_cnt}" + return "${feed_rc}" +} + # build initial nft file with base table, chains and rules # f_nftinit() { - local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}" + local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp flag tmp_proto tmp_port allow_dport feed_rc="0" file="${1}" wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" for flag in ${ban_allowflag}; do - if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then - if [ -z "${tmp_proto}" ]; then - tmp_proto="${flag}" - elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then - tmp_proto="${tmp_proto}, ${flag}" - fi - elif [ -n "${flag//[![:digit:]-]/}" ]; then - if [ -z "${tmp_port}" ]; then - tmp_port="${flag}" - elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then - tmp_port="${tmp_port}, ${flag}" - fi - fi + case "${flag}" in + "tcp" | "udp") + if [ -z "${tmp_proto}" ]; then + tmp_proto="${flag}" + elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_proto="${tmp_proto}, ${flag}" + fi + ;; + "${flag//[![:digit:]-]/}") + if [ -z "${tmp_port}" ]; then + tmp_port="${flag}" + elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_port="${tmp_port}, ${flag}" + fi + ;; + esac done if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }" @@ -632,43 +664,51 @@ f_nftinit() { fi { - # nft header (tables and chains) + # nft header (tables, base and regular chains) # printf "%s\n\n" "#!${ban_nftcmd} -f" - if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then + if "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then printf "%s\n" "delete table inet banIP" fi printf "%s\n" "add table inet banIP" - printf "%s\n" "add counter inet banIP cnt-icmpflood" - printf "%s\n" "add counter inet banIP cnt-udpflood" - printf "%s\n" "add counter inet banIP cnt-synflood" - printf "%s\n" "add counter inet banIP cnt-tcpinvalid" - printf "%s\n" "add counter inet banIP cnt-ctinvalid" - printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }" + # base chains + # + printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -199; policy accept; }" printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" - printf "%s\n" "add chain inet banIP reject-chain" + # regular chains + # + printf "%s\n" "add chain inet banIP _inbound" + printf "%s\n" "add chain inet banIP _outbound" + printf "%s\n" "add chain inet banIP _reject" + # named counter + # + printf "%s\n" "add counter inet banIP cnt_icmpflood" + printf "%s\n" "add counter inet banIP cnt_udpflood" + printf "%s\n" "add counter inet banIP cnt_synflood" + printf "%s\n" "add counter inet banIP cnt_tcpinvalid" + printf "%s\n" "add counter inet banIP cnt_ctinvalid" # default reject chain rules # - printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset" - printf "%s\n" "add rule inet banIP reject-chain reject" + printf "%s\n" "add rule inet banIP _reject iifname != { ${wan_dev} } meta l4proto tcp reject with tcp reset" + printf "%s\n" "add rule inet banIP _reject reject with icmpx host-unreachable" # default pre-routing rules # printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" - printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt_ctinvalid drop" if [ "${ban_icmplimit}" -gt "0" ]; then - printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" - printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" + printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt_icmpflood drop" + printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt_icmpflood drop" fi - [ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop" - [ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop" + [ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt_udpflood drop" + [ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt_synflood drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt_tcpinvalid drop" # default wan-input rules # @@ -679,33 +719,33 @@ f_nftinit() { printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept" + printf "%s\n" "add rule inet banIP wan-input meta mark set 1" + printf "%s\n" "add rule inet banIP wan-input counter jump _inbound" # default wan-forward rules # printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept" + printf "%s\n" "add rule inet banIP wan-forward meta mark set 2" + printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound" # default lan-forward rules # printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" [ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept" - [ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain" + [ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto _reject" + printf "%s\n" "add rule inet banIP lan-forward counter jump _outbound" } >"${file}" - # load initial banIP table within nft (atomic load) + # load initial banIP table/rules to nftset # - feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" + f_nftload "${file}" "can't initialize banIP nftables namespace" feed_rc="${?}" + [ "${feed_rc}" = "0" ] && f_log "info" "initialize banIP nftables namespace" - if [ "${feed_rc}" = "0" ]; then - f_log "info" "initialize banIP nftables namespace" - else - f_log "err" "can't initialize banIP nftables namespace (rc: ${feed_rc}, log: ${feed_log})" - fi - - f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, icmp_limit: ${ban_icmplimit}, syn_limit: ${ban_synlimit}, udp_limit: ${ban_udplimit}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, icmp_limit: ${ban_icmplimit}, syn_limit: ${ban_synlimit}, udp_limit: ${ban_udplimit}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}" : >"${file}" return "${feed_rc}" } @@ -713,129 +753,164 @@ f_nftinit() { # handle downloads # f_down() { - local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc - local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag - local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" + local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handle rc etag_rc element_count flag + local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain + local tmp_proto tmp_port asn country feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}" start_ts="$(date +%s)" - feed="${feed}v${proto}" + feed="${feed}.v${proto}" tmp_load="${ban_tmpfile}.${feed}.load" tmp_raw="${ban_tmpfile}.${feed}.raw" tmp_split="${ban_tmpfile}.${feed}.split" tmp_file="${ban_tmpfile}.${feed}.file" tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" - tmp_allow="${ban_tmpfile}.${feed%v*}" + tmp_allow="${ban_tmpfile}.${feed%.*}" - [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/${ban_blocktype}/${feed}: \"" - [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \"" - [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \"" + # set log target + # + [ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \"" + [ "${ban_logoutbound}" = "1" ] && log_outbound="tlog level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \"" # set feed target # - if [ "${ban_blocktype}" = "reject" ]; then - feed_target="goto reject-chain" + if [ "${ban_blockpolicy}" = "reject" ]; then + feed_target="goto _reject" else feed_target="drop" fi - # set feed block direction + # set element counter flag # - if [ "${ban_blockpolicy}" = "input" ]; then - if ! printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then - ban_blockinput="${ban_blockinput} ${feed%v*}" - fi - elif [ "${ban_blockpolicy}" = "forwardwan" ]; then - if ! printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then - ban_blockforwardwan="${ban_blockforwardwan} ${feed%v*}" - fi - elif [ "${ban_blockpolicy}" = "forwardlan" ]; then - if ! printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}" && - ! printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then - ban_blockforwardlan="${ban_blockforwardlan} ${feed%v*}" - fi + if [ "${ban_nftcount}" = "1" ]; then + element_count="counter" fi - if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then - feed_direction="input" - fi - if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then - feed_direction="${feed_direction} forwardwan" + + # set feed complete flag + # + if printf "%s" "${ban_feedcomplete}" | "${ban_grepcmd}" -q "${feed%%.*}"; then + feed_complete="true" fi - if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then - feed_direction="${feed_direction} forwardlan" + + # set feed direction + # + if printf "%s" "${ban_feedin}" | "${ban_grepcmd}" -q "${feed%%.*}"; then + feed_policy="in" + feed_direction="inbound" + elif printf "%s" "${ban_feedout}" | "${ban_grepcmd}" -q "${feed%%.*}"; then + feed_policy="out" + feed_direction="outbound" + elif printf "%s" "${ban_feedinout}" | "${ban_grepcmd}" -q "${feed%%.*}"; then + feed_policy="inout" + feed_direction="inbound outbound" + else + feed_policy="${feed_chain}" + case "${feed_chain}" in + "in") + feed_direction="inbound" + ;; + "out") + feed_direction="outbound" + ;; + "inout") + feed_direction="inbound outbound" + ;; + *) + feed_direction="inbound" + ;; + esac fi # prepare feed flags # for flag in ${feed_flag}; do - if [ "${flag}" = "gz" ]; then - feed_comp="${flag}" - elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then - if [ -z "${tmp_proto}" ]; then - tmp_proto="${flag}" - elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then - tmp_proto="${tmp_proto}, ${flag}" - fi - elif [ -n "${flag//[![:digit:]-]/}" ]; then - if [ -z "${tmp_port}" ]; then - tmp_port="${flag}" - elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then - tmp_port="${tmp_port}, ${flag}" - fi - fi + case "${flag}" in + "gz") + feed_comp="${flag}" + ;; + "tcp" | "udp") + if [ -z "${tmp_proto}" ]; then + tmp_proto="${flag}" + elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_proto="${tmp_proto}, ${flag}" + fi + ;; + "${flag//[![:digit:]-]/}") + if [ -z "${tmp_port}" ]; then + tmp_port="${flag}" + elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_port="${tmp_port}, ${flag}" + fi + ;; + esac done - if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then - feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }" + + if ! printf "%s" "${ban_feedreset}" | "${ban_grepcmd}" -q "${feed%%.*}"; then + if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then + feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }" + fi fi # chain/rule maintenance # if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then - ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" + table_json="$("${ban_nftcmd}" -tja list table inet banIP 2>/dev/null)" { - printf "%s\n" "flush set inet banIP ${feed}" - for expr in 0 1; do - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" + for chain in _inbound _outbound; do + for expr in 0 1; do + handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + done done + printf "%s\n" "flush set inet banIP ${feed}" + printf "%s\n\n" "delete set inet banIP ${feed}" } >"${tmp_flush}" fi # restore local backups # - if [ "${feed%v*}" != "blocklist" ]; then - if [ -n "${ban_etagparm}" ] && [ "${ban_action}" = "reload" ] && [ "${feed_url}" != "local" ] && [ "${feed%v*}" != "allowlist" ]; then + if [ "${feed%%.*}" != "blocklist" ]; then + if [ -n "${ban_etagparm}" ] && [ "${ban_action}" = "reload" ] && [ "${feed_url}" != "local" ] && [ "${feed%%.*}" != "allowlist" ]; then etag_rc="0" - if [ "${feed%v*}" = "country" ]; then - for country in ${ban_country}; do - f_etag "${feed}" "${feed_url}${country}-aggregated.zone" ".${country}" - rc="${?}" - [ "${rc}" = "4" ] && break - etag_rc="$((etag_rc + rc))" - done - elif [ "${feed%v*}" = "asn" ]; then - for asn in ${ban_asn}; do - f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" - rc="${?}" - [ "${rc}" = "4" ] && break - etag_rc="$((etag_rc + rc))" - done - else - f_etag "${feed}" "${feed_url}" - etag_rc="${?}" - fi + case "${feed%%.*}" in + "country") + if [ "${ban_countrysplit}" = "0" ]; then + for country in ${ban_country}; do + f_etag "${feed}" "${feed_url}${country}-aggregated.zone" ".${country}" + rc="${?}" + etag_rc="$((etag_rc + rc))" + [ "${rc}" = "4" ] && break + done + else + country="${feed%.*}" + country="${country#*.}" + f_etag "${feed}" "${feed_url}${country}-aggregated.zone" ".${country}" + etag_rc="${?}" + fi + ;; + "asn") + if [ "${ban_asnsplit}" = "0" ]; then + for asn in ${ban_asn}; do + f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" + rc="${?}" + etag_rc="$((etag_rc + rc))" + [ "${rc}" = "4" ] && break + done + else + asn="${feed%.*}" + asn="${asn#*.}" + f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" + etag_rc="${?}" + fi + ;; + *) + f_etag "${feed}" "${feed_url}" + etag_rc="${?}" + ;; + esac fi if [ "${etag_rc}" = "0" ] || [ "${ban_action}" != "reload" ] || [ "${feed_url}" = "local" ]; then - if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then + if [ "${feed%%.*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then f_restore "allowlist" "-" "${tmp_allow}" "${etag_rc}" else f_restore "${feed}" "${feed_url}" "${tmp_load}" "${etag_rc}" @@ -847,16 +922,18 @@ f_down() { # prepare local/remote allowlist # - if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then + if [ "${feed%%.*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then "${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}" feed_rc="${?}" for feed_url in ${ban_allowurl}; do - feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" - feed_rc="${?}" - if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then - "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" >/dev/null 2>&1; then + if [ -s "${tmp_load}" ]; then + "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + feed_rc="${?}" + fi else - f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" + f_log "info" "download for feed '${feed%%.*}' failed" + feed_rc="4" break fi done @@ -871,114 +948,93 @@ f_down() { # handle local feeds # - if [ "${feed%v*}" = "allowlist" ]; then + if [ "${feed%%.*}" = "allowlist" ]; then { printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - if [ "${proto}" = "4MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter accept" - elif [ "${proto}" = "6MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter accept" - elif [ "${proto}" = "4" ]; then - "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - if [ -z "${feed_direction##*input*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}" - else - printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept" - fi - fi - if [ -z "${feed_direction##*forwardwan*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}" - else - printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept" - fi - fi - if [ -z "${feed_direction##*forwardlan*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter goto reject-chain" - else - printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept" + case "${proto}" in + "4MAC") + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ether saddr . ip saddr @${feed} counter accept" + ;; + "6MAC") + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} counter accept" + ;; + "4") + "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound} counter ${feed_target}" + else + printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter accept" + fi fi - fi - elif [ "${proto}" = "6" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${tmp_allow}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - if [ -z "${feed_direction##*input*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}" - else - printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept" + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound} counter goto _reject" + else + printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter accept" + fi fi - fi - if [ -z "${feed_direction##*forwardwan*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}" - else - printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept" + ;; + "6") + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${tmp_allow}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound} counter ${feed_target}" + else + printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter accept" + fi fi - fi - if [ -z "${feed_direction##*forwardlan*}" ]; then - if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}" - else - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept" + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound} counter ${feed_target}" + else + printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter accept" + fi fi - fi - fi + ;; + esac } >"${tmp_nft}" : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}" feed_rc="0" - elif [ "${feed%v*}" = "blocklist" ]; then + elif [ "${feed%%.*}" = "blocklist" ]; then { printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - if [ "${proto}" = "4MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter goto reject-chain" - elif [ "${proto}" = "6MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter goto reject-chain" - elif [ "${proto}" = "4" ]; then - if [ "${ban_deduplicate}" = "1" ]; then - "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" - "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" - "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" - else - "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" - fi - "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain" - elif [ "${proto}" = "6" ]; then - if [ "${ban_deduplicate}" = "1" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" - "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" - "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" - else + case "${proto}" in + "4MAC") + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ether saddr . ip saddr @${feed} counter goto _reject" + ;; + "6MAC") + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} counter goto _reject" + ;; + "4") + "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" | + "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound} counter ${feed_target}" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound} counter goto _reject" + ;; + "6") "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" - fi - "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain" - fi + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' | + "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound} counter goto _reject" + ;; + esac } >"${tmp_nft}" : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}" feed_rc="0" @@ -988,40 +1044,76 @@ f_down() { elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then # handle country downloads # - if [ "${feed%v*}" = "country" ]; then - for country in ${ban_country}; do - feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" - feed_rc="${?}" - [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" - done - : >"${tmp_raw}" - + if [ "${feed%%.*}" = "country" ]; then + if [ "${ban_countrysplit}" = "0" ]; then + for country in ${ban_country}; do + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" >/dev/null 2>&1; then + if [ -s "${tmp_raw}" ]; then + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + feed_rc="${?}" + fi + else + f_log "info" "download for feed '${feed%%.*}/${country}' failed" + fi + done + : >"${tmp_raw}" + else + country="${feed%.*}" + country="${country#*.}" + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}${country}-aggregated.zone" >/dev/null 2>&1; then + feed_rc="${?}" + else + feed_rc="4" + fi + fi # handle asn downloads # - elif [ "${feed%v*}" = "asn" ]; then - for asn in ${ban_asn}; do - feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" - feed_rc="${?}" - [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" - done - : >"${tmp_raw}" - + elif [ "${feed%%.*}" = "asn" ]; then + if [ "${ban_asnsplit}" = "0" ]; then + for asn in ${ban_asn}; do + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" >/dev/null 2>&1; then + if [ -s "${tmp_raw}" ]; then + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + feed_rc="${?}" + fi + else + f_log "info" "download for feed '${feed%%.*}/${asn}' failed" + fi + done + : >"${tmp_raw}" + else + asn="${feed%.*}" + asn="${asn#*.}" + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}AS${asn}" >/dev/null 2>&1; then + feed_rc="${?}" + else + feed_rc="4" + fi + fi # handle compressed downloads # elif [ "${feed_comp}" = "gz" ]; then - feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" - feed_rc="${?}" - [ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" >/dev/null 2>&1; then + if [ -s "${tmp_raw}" ]; then + "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" + feed_rc="${?}" + fi + else + feed_rc="4" + fi : >"${tmp_raw}" # handle normal downloads # else - feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" - feed_rc="${?}" + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" >/dev/null 2>&1; then + feed_rc="${?}" + else + feed_rc="4" + fi fi fi - [ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" + [ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed, rc: ${feed_rc:-"-"}" # backup/restore # @@ -1038,7 +1130,7 @@ f_down() { if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then # deduplicate Sets # - if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then + if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ] && [ -z "${feed_complete}" ]; then "${ban_awkcmd}" '{sub("\r$", "");print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" feed_rc="${?}" @@ -1047,7 +1139,6 @@ f_down() { feed_rc="${?}" fi : >"${tmp_raw}" >"${tmp_load}" - # split Sets # if [ "${feed_rc}" = "0" ]; then @@ -1055,57 +1146,56 @@ f_down() { if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit:]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then feed_rc="${?}" rm -f "${tmp_file}".* - f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit:]]/}'" + f_log "info" "can't split nfset '${feed}' to size '${ban_splitsize//[![:digit:]]/}'" fi else "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" feed_rc="${?}" fi fi - # build nft file # if [ "${feed_rc}" = "0" ] && [ -s "${tmp_file}.1" ]; then if [ "${proto}" = "4" ]; then { - # nft header (IPv4 Set) input and forward rules + # nft header (IPv4 Set) incl. inbound and outbound rules # printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" + [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound} counter ${feed_target}" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound} counter goto _reject" } >"${tmp_nft}" elif [ "${proto}" = "6" ]; then { - # nft header (IPv6 Set) plus input and forward rules + # nft header (IPv6 Set) incl. inbound and outbound rules # printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" + [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" + [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound} counter goto _reject" } >"${tmp_nft}" fi fi : >"${tmp_flush}" >"${tmp_file}.1" fi - # load generated nft file in banIP table # if [ "${feed_rc}" = "0" ]; then - if [ "${feed%v*}" = "allowlist" ]; then + if [ "${feed%%.*}" = "allowlist" ]; then cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)" + elif [ "${feed%%.*}" = "blocklist" ]; then + cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${ban_blocklist}" 2>/dev/null)" else cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)" : >"${tmp_split}" fi - if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then - feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" + if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed%%.*}" = "allowlist" ] || [ "${feed%%.*}" = "blocklist" ]; then + # load initial file to nftset + # + f_nftload "${tmp_nft}" "can't load initial file to nfset '${feed}'" feed_rc="${?}" - # load additional split files # if [ "${feed_rc}" = "0" ]; then @@ -1113,17 +1203,14 @@ f_down() { if [ -s "${split_file}" ]; then "${ban_sedcmd}" -i "1 i #!${ban_nftcmd} -f\nadd element inet banIP "${feed}" { " "${split_file}" printf "%s\n" "}" >>"${split_file}" - if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then - f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" - fi + # load split file to nftset + # + f_nftload "${split_file}" "can't load split file '${split_file##*.}' to nfset '${feed}'" + feed_rc="${?}" : >"${split_file}" fi done - if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then - cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" - fi - else - f_log "info" "can't initialize Set for feed '${feed}' (rc: ${feed_rc}, log: ${feed_log})" + cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)" fi else f_log "info" "skip empty feed '${feed}'" @@ -1132,7 +1219,7 @@ f_down() { : >"${tmp_nft}" end_ts="$(date +%s)" - f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_down ::: feed: ${feed}, policy: ${feed_policy}, complete: ${feed_complete:-"-"}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}" } # backup feeds @@ -1154,7 +1241,7 @@ f_backup() { f_restore() { local tmp_feed restore_rc="4" feed="${1}" feed_url="${2}" feed_file="${3}" in_rc="${4}" - [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" + [ "${feed_url}" = "local" ] && tmp_feed="${feed%.*}.v4" || tmp_feed="${feed}" if [ -s "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" restore_rc="${?}" @@ -1164,53 +1251,73 @@ f_restore() { return "${restore_rc}" } -# remove disabled Sets +# remove staled Sets # f_rmset() { - local expr feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc + local feedlist tmp_del table_json feed country asn table_sets handle expr del_set feed_rc f_getfeed json_get_keys feedlist tmp_del="${ban_tmpfile}.final.delete" - ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" + table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + table_sets="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" { printf "%s\n\n" "#!${ban_nftcmd} -f" - for item in ${table_sets}; do - if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${item%v*}" || - ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${item%v*}"; then - [ -z "${del_set}" ] && del_set="${item}" || del_set="${del_set}, ${item}" - rm -f "${ban_backupdir}/banIP.${item}.gz" - printf "%s\n" "flush set inet banIP ${item}" - for expr in 0 1; do - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" + for feed in ${table_sets}; do + if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${feed%.*}" || + ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${feed%.*}" || + { [ "${feed%.*}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; } || + { [ "${feed%.*}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; }; then + case "${feed%%.*}" in + "country") + country="${feed%.*}" + country="${country#*.}" + if [ "${ban_countrysplit}" = "1" ] && printf "%s" "${ban_country}" | "${ban_grepcmd}" -q "${country}"; then + continue + fi + ;; + asn) + asn="${feed%.*}" + asn="${asn#*.}" + if [ "${ban_asnsplit}" = "1" ] && printf "%s" "${ban_asn}" | "${ban_grepcmd}" -q "${asn}"; then + continue + fi + ;; + esac + [ -z "${del_set}" ] && del_set="${feed}" || del_set="${del_set}, ${feed}" + rm -f "${ban_backupdir}/banIP.${feed}.gz" + for chain in _inbound _outbound; do + for expr in 0 1; do + handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + done done - printf "%s\n\n" "delete set inet banIP ${item}" + printf "%s\n" "flush set inet banIP ${feed}" + printf "%s\n\n" "delete set inet banIP ${feed}" fi done } >"${tmp_del}" if [ -n "${del_set}" ]; then - feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)" - feed_rc="${?}" + if "${ban_nftcmd}" -f "${tmp_del}" >/dev/null 2>&1; then + feed_rc="${?}" + else + feed_rc="4" + fi fi : >"${tmp_del}" - f_log "debug" "f_rmset ::: Set: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_rmset ::: nfset: ${del_set:-"-"}, rc: ${feed_rc:-"-"}" } # generate status information # f_genstatus() { - local mem_free mem_max object end_time duration table_sets cnt_elements="0" custom_feed="0" split="0" status="${1}" + local mem_free mem_max nft_ver object end_time duration table_sets cnt_elements="0" custom_feed="0" split="0" status="${1}" mem_free="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1024)}' "/proc/meminfo" 2>/dev/null)" mem_max="$("${ban_awkcmd}" '/^VmHWM/{printf "%s",int($2)}' /proc/${$}/status 2>/dev/null)" + nft_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["nftables-json"]')" [ -z "${ban_dev}" ] && f_conf if [ "${status}" = "active" ]; then @@ -1218,12 +1325,10 @@ f_genstatus() { end_time="$(date "+%s")" duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s" fi - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" - if [ "${ban_reportelements}" = "1" ]; then - for object in ${table_sets}; do - cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" - done - fi + table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" + for object in ${table_sets}; do + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)))" + done runtime="mode: ${ban_action:-"-"}, period: ${duration:-"-"}, memory: ${mem_free} MB available, ${mem_max} KB max. used, cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}" fi [ -s "${ban_customfeedfile}" ] && custom_feed="1" @@ -1265,9 +1370,9 @@ f_genstatus() { json_add_string "${object}" "${object}" done json_close_array - json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}" - json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}" - json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "nft_info" "ver: ${nft_ver:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}" + json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, error: ${ban_errordir}" + json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/in/out): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginbound})/$(f_char ${ban_logoutbound}), count: $(f_char ${ban_nftcount}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system_info" "$(date "+%Y-%m-%d %H:%M:%S"), ${ban_sysver}" json_dump >"${ban_rtfile}" @@ -1342,13 +1447,13 @@ f_lookup() { cnt_domain="$((cnt_domain + 1))" done if [ -n "${elementsv4}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then - f_log "info" "can't add lookup file to Set '${feed}v4'" + if ! "${ban_nftcmd}" add element inet banIP "${feed}.v4" { ${elementsv4} } >/dev/null 2>&1; then + f_log "info" "can't add lookup file to nfset '${feed}.v4'" fi fi if [ -n "${elementsv6}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then - f_log "info" "can't add lookup file to Set '${feed}v6'" + if ! "${ban_nftcmd}" add element inet banIP "${feed}.v6" { ${elementsv6} } >/dev/null 2>&1; then + f_log "info" "can't add lookup file to nfset '${feed}.v6'" fi fi end_time="$(date "+%s")" @@ -1360,9 +1465,9 @@ f_lookup() { # table statistics # f_report() { - local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details - local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan - local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}" + local report_jsn report_txt tmp_val table_json item table_sets set_cnt set_inbound set_outbound set_cntinbound set_cntoutbound set_proto set_dport set_details + local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinbound sum_setoutbound sum_cntelements sum_cntinbound sum_cntoutbound + local chain set_elements set_json sum_setelements sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}" [ -z "${ban_dev}" ] && f_conf f_mkdir "${ban_reportdir}" @@ -1371,90 +1476,84 @@ f_report() { # json output preparation # - ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" + table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + table_sets="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" sum_sets="0" - sum_setinput="0" - sum_setforwardwan="0" - sum_setforwardlan="0" + sum_cntelements="0" + sum_setinbound="0" + sum_setoutbound="0" + sum_cntinbound="0" + sum_cntoutbound="0" + sum_setports="0" sum_setelements="0" - sum_cntinput="0" - sum_cntforwardwan="0" - sum_cntforwardlan="0" - sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')" - sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')" - sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')" - sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')" - sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')" + sum_synflood="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt_synflood"].*.packets')" + sum_udpflood="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt_udpflood"].*.packets')" + sum_icmpflood="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt_icmpflood"].*.packets')" + sum_ctinvalid="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt_ctinvalid"].*.packets')" + sum_tcpinvalid="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt_tcpinvalid"].*.packets')" timestamp="$(date "+%Y-%m-%d %H:%M:%S")" : >"${report_jsn}" { printf "%s\n" "{" printf "\t%s\n" '"sets":{' for item in ${table_sets}; do - set_cntinput="" - set_cntforwardwan="" - set_cntforwardlan="" + set_json="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null)" + set_cnt="$(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)" + sum_cntelements="$((sum_cntelements + set_cnt))" + set_cntinbound="" + set_cntoutbound="" set_proto="" set_dport="" - for expr in 0 1; do - [ -z "${set_cntinput}" ] && set_cntinput="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")" - [ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")" - [ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")" - [ -z "${set_cntforwardwan}" ] && set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")" - [ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")" - [ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")" - [ -z "${set_cntforwardlan}" ] && set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")" - [ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")" - [ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")" + for chain in _inbound _outbound; do + for expr in 0 1; do + if [ "${chain}" = "_inbound" ] && [ -z "${set_cntinbound}" ]; then + set_cntinbound="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")" + elif [ "${chain}" = "_outbound" ] && [ -z "${set_cntoutbound}" ]; then + set_cntoutbound="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")" + fi + [ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")" + [ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")" + done done - if [ "${ban_reportelements}" = "1" ]; then - set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" - sum_setelements="$((sum_setelements + set_cnt))" - else - set_cnt="" - sum_setelements="n/a" - fi - if [ -n "${set_dport}" ]; then + if [ -n "${set_proto}" ] && [ -n "${set_dport}" ]; then + sum_setports="$((sum_setports + 1))" set_dport="${set_dport//[\{\}\":]/}" set_dport="${set_dport#\[ *}" set_dport="${set_dport%* \]}" set_dport="${set_proto}: $(f_trim "${set_dport}")" fi - if [ -n "${set_cntinput}" ]; then - set_input="ON" - sum_setinput="$((sum_setinput + 1))" - sum_cntinput="$((sum_cntinput + set_cntinput))" - else - set_input="-" - set_cntinput="" + if [ "${ban_nftcount}" = "1" ]; then + set_elements="$(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*][@.counter.packets>0].val' | "${ban_awkcmd}" '{ORS=" "; printf"%s, ",$1}')" + set_elements="${set_elements//{*/} $(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*][@.counter.packets>0].val.range[0]' | "${ban_awkcmd}" '{ORS=" "; printf"%s(r), ",$1}')" + set_elements="$(f_trim "${set_elements%%?}") $(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*][@.counter.packets>0].val.prefix.addr' | "${ban_awkcmd}" '{ORS=" "; printf"%s(p), ",$1}')" + set_elements="$(f_trim "${set_elements%%??}")" + sum_setelements="$((sum_setelements + $(printf "%s" "${set_elements}" | "${ban_wccmd}" -w)))" fi - if [ -n "${set_cntforwardwan}" ]; then - set_forwardwan="ON" - sum_setforwardwan="$((sum_setforwardwan + 1))" - sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))" + if [ -n "${set_cntinbound}" ]; then + set_inbound="ON" + sum_setinbound="$((sum_setinbound + 1))" + sum_cntinbound="$((sum_cntinbound + set_cntinbound))" else - set_forwardwan="-" - set_cntforwardwan="" + set_inbound="-" + set_cntinbound="" fi - if [ -n "${set_cntforwardlan}" ]; then - set_forwardlan="ON" - sum_setforwardlan="$((sum_setforwardlan + 1))" - sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))" + if [ -n "${set_cntoutbound}" ]; then + set_outbound="ON" + sum_setoutbound="$((sum_setoutbound + 1))" + sum_cntoutbound="$((sum_cntoutbound + set_cntoutbound))" else - set_forwardlan="-" - set_cntforwardlan="" + set_outbound="-" + set_cntoutbound="" fi [ "${sum_sets}" -gt "0" ] && printf "%s\n" "," printf "\t\t%s\n" "\"${item}\":{" printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," - printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," - printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," - printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\"," - printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\"," - printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\"," - printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\"", - printf "\t\t\t%s\n" "\"port\": \"${set_dport:-"-"}\"" + printf "\t\t\t%s\n" "\"cnt_inbound\": \"${set_cntinbound}\"," + printf "\t\t\t%s\n" "\"inbound\": \"${set_inbound}\"," + printf "\t\t\t%s\n" "\"cnt_outbound\": \"${set_cntoutbound}\"," + printf "\t\t\t%s\n" "\"outbound\": \"${set_outbound}\"", + printf "\t\t\t%s\n" "\"port\": \"${set_dport:-"-"}\"", + printf "\t\t\t%s\n" "\"set_elements\": \"${set_elements:-"-"}\"" printf "\t\t%s" "}" sum_sets="$((sum_sets + 1))" done @@ -1468,13 +1567,13 @@ f_report() { printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\"," printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\"," printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\"," - printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\"," - printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\"," - printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\"," - printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\"," - printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\"," - printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\"," - printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\"" + printf "\t%s\n" "\"sum_setinbound\": \"${sum_setinbound}\"," + printf "\t%s\n" "\"sum_setoutbound\": \"${sum_setoutbound}\"," + printf "\t%s\n" "\"sum_cntelements\": \"${sum_cntelements}\"," + printf "\t%s\n" "\"sum_cntinbound\": \"${sum_cntinbound}\"," + printf "\t%s\n" "\"sum_cntoutbound\": \"${sum_cntoutbound}\"," + printf "\t%s\n" "\"sum_setports\": \"${sum_setports}\"," + printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\"" printf "%s\n" "}" } >>"${report_jsn}" @@ -1493,13 +1592,13 @@ f_report() { json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1 json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1 json_get_var sum_sets "sum_sets" >/dev/null 2>&1 - json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1 - json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1 - json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1 + json_get_var sum_setinbound "sum_setinbound" >/dev/null 2>&1 + json_get_var sum_setoutbound "sum_setoutbound" >/dev/null 2>&1 + json_get_var sum_cntelements "sum_cntelements" >/dev/null 2>&1 + json_get_var sum_cntinbound "sum_cntinbound" >/dev/null 2>&1 + json_get_var sum_cntoutbound "sum_cntoutbound" >/dev/null 2>&1 + json_get_var sum_setports "sum_setports" >/dev/null 2>&1 json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1 - json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1 - json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1 - json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1 { printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" printf "%s\n" " Timestamp: ${timestamp}" @@ -1515,7 +1614,7 @@ f_report() { json_select "sets" >/dev/null 2>&1 json_get_keys table_sets >/dev/null 2>&1 if [ -n "${table_sets}" ]; then - printf "%-25s%-15s%-24s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)" "| Port/Protocol Limit" + printf "%-25s%-15s%-24s%-24s%-24s%-24s\n" " Set" "| Count " "| Inbound (packets)" "| Outbound (packets)" "| Port/Protocol " "| Elements " printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------" for item in ${table_sets}; do printf " %-21s" "${item}" @@ -1527,9 +1626,17 @@ f_report() { "cnt_elements") printf "%-15s" "| ${jsnval}" ;; - "cnt_input" | "cnt_forwardwan" | "cnt_forwardlan") + "cnt_inbound" | "cnt_outbound") [ -n "${jsnval}" ] && tmp_val=": ${jsnval}" ;; + "set_elements") + printf "%-24s" "| ${jsnval:0:24}" + jsnval="${jsnval:24}" + while [ -n "${jsnval}" ]; do + printf "\n%-25s%-15s%-24s%-24s%-24s%-24s" "" "|" "|" "|" "|" "| ${jsnval:0:24}" + jsnval="${jsnval:24}" + done + ;; *) printf "%-24s" "| ${jsnval}${tmp_val}" tmp_val="" @@ -1540,7 +1647,7 @@ f_report() { json_select ".." done printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------" - printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})" + printf "%-25s%-15s%-24s%-24s%-24s%-24s\n" " ${sum_sets}" "| ${sum_cntelements}" "| ${sum_setinbound} (${sum_cntinbound})" "| ${sum_setoutbound} (${sum_cntoutbound})" "| ${sum_setports}" "| ${sum_setelements}" fi } >>"${report_txt}" fi @@ -1565,7 +1672,7 @@ f_report() { # Set search # f_search() { - local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" + local item table_sets ip proto hold cnt result="/var/run/banIP.search" input="${1}" if [ -n "${input}" ]; then ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')" @@ -1576,21 +1683,17 @@ f_search() { fi fi if [ -n "${proto}" ]; then - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" + table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | "${ban_jsoncmd}" -qe "@.nftables[@.set.type=\"ip${proto}_addr\"].set.name")" else printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::" return fi cnt="1" + : >"${result}" for item in ${table_sets}; do - [ -f "${result_flag}" ] && break ( if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then - printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" - printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" - printf " %s\n" "---" - printf " %s\n" "IP found in Set '${item}'" - : >"${result_flag}" + printf "%s " "${item}" >>"${result}" fi ) & hold="$((cnt % ban_cores))" @@ -1598,8 +1701,14 @@ f_search() { cnt="$((cnt + 1))" done wait - if [ -f "${result_flag}" ]; then - rm -f "${result_flag}" + if [ -s "${result}" ]; then + printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" + printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "---" + for item in $("${ban_catcmd}" "${result}"); do + printf " %s\n" "IP found in Set '${item}'" + done + : >"${result}" else printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" @@ -1617,7 +1726,7 @@ f_survey() { printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi - set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')" + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*].elem.val')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" @@ -1675,7 +1784,7 @@ f_monitor() { ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))+"}{if(!seen[RT]++)printf "%s ",RT}')" ip="$(f_trim "${ip}")" ip="${ip##* }" - [ -n "${ip}" ] && [ "${ip%%.*}" != "127" ] && [ "${ip%%.*}" != "0" ] && proto="v4" + [ -n "${ip}" ] && [ "${ip%%.*}" != "127" ] && [ "${ip%%.*}" != "0" ] && proto=".v4" if [ -z "${proto}" ]; then if [ "${daemon}" = "dropbear" ]; then ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}([A-Fa-f0-9]:?)+"}{if(!seen[RT]++)printf "%s ",RT}')" @@ -1685,7 +1794,7 @@ f_monitor() { fi ip="$(f_trim "${ip}")" ip="${ip##* }" - [ -n "${ip%%::*}" ] && proto="v6" + [ -n "${ip%%::*}" ] && proto=".v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then f_log "info" "suspicious IP '${ip}'" @@ -1699,8 +1808,8 @@ f_monitor() { rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)" rdap_rc="${?}" if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then - [ "${proto}" = "v4" ] && rdap_idx="$("${ban_jsoncmd}" -i "${ban_rdapfile}" -qe '@.cidr0_cidrs[@.v4prefix].*' | "${ban_awkcmd}" '{ORS=" "; print}')" - [ "${proto}" = "v6" ] && rdap_idx="$("${ban_jsoncmd}" -i "${ban_rdapfile}" -qe '@.cidr0_cidrs[@.v6prefix].*' | "${ban_awkcmd}" '{ORS=" "; print}')" + [ "${proto}" = ".v4" ] && rdap_idx="$("${ban_jsoncmd}" -i "${ban_rdapfile}" -qe '@.cidr0_cidrs[@.v4prefix].*' | "${ban_awkcmd}" '{ORS=" "; print}')" + [ "${proto}" = ".v6" ] && rdap_idx="$("${ban_jsoncmd}" -i "${ban_rdapfile}" -qe '@.cidr0_cidrs[@.v6prefix].*' | "${ban_awkcmd}" '{ORS=" "; print}')" rdap_info="$("${ban_jsoncmd}" -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" [ -z "${rdap_info}" ] && rdap_info="$("${ban_jsoncmd}" -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | "${ban_awkcmd}" 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')" for idx in ${rdap_idx}; do @@ -1758,6 +1867,7 @@ ban_sedcmd="$(f_cmd sed)" ban_ubuscmd="$(f_cmd ubus)" ban_zcatcmd="$(f_cmd zcat)" ban_gzipcmd="$(f_cmd gzip)" +ban_wccmd="$(f_cmd wc)" f_system if [ "${ban_action}" != "stop" ]; then diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 1f38e07ec61405..33e80478f4fe6e 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,6 +1,6 @@ #!/bin/sh # banIP main service script - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions @@ -25,6 +25,7 @@ f_getuplink f_mkdir "${ban_backupdir}" f_mkfile "${ban_allowlist}" f_mkfile "${ban_blocklist}" +f_rmdir "${ban_errordir}" # firewall/fw4 pre-check # @@ -57,7 +58,7 @@ for feed in allowlist ${ban_feed} blocklist; do if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then for proto in 4MAC 6MAC 4 6; do [ "${feed}" = "blocklist" ] && wait - f_down "${feed}" "${proto}" + f_down "${feed}" "${proto}" "-" "-" "inout" done continue fi @@ -70,7 +71,7 @@ for feed in allowlist ${ban_feed} blocklist; do uci_commit "banip" continue fi - json_objects="url_4 rule_4 url_6 rule_6 flag" + json_objects="url_4 rule_4 url_6 rule_6 chain flag" for object in ${json_objects}; do eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1 done @@ -85,36 +86,44 @@ for feed in allowlist ${ban_feed} blocklist; do continue fi - # handle IPv4/IPv6 feeds with a single download URL + # handle IPv4/IPv6 feeds # - if [ "${feed_url_4}" = "${feed_url_6}" ]; then - if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then - (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") & + if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then + if [ "${feed}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; then + for country in ${ban_country}; do + f_down "${feed}.${country}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}" + done + elif [ "${feed}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; then + for asn in ${ban_asn}; do + f_down "${feed}.${asn}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}" + done + else + (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}") & + fi + if [ "${feed_url_4}" = "${feed_url_6}" ]; then feed_url_6="local" wait - fi - if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then - (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") & + else hold="$((cnt % ban_cores))" [ "${hold}" = "0" ] && wait cnt="$((cnt + 1))" fi - continue - fi - - # handle IPv4/IPv6 feeds with separate download URLs - # - if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then - (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") & - hold="$((cnt % ban_cores))" - [ "${hold}" = "0" ] && wait - cnt="$((cnt + 1))" fi if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then - (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") & + if [ "${feed}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; then + for country in ${ban_country}; do + f_down "${feed}.${country}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}" + done + elif [ "${feed}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; then + for asn in ${ban_asn}; do + f_down "${feed}.${asn}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}" + done + else + (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}") & + fi + cnt="$((cnt + 1))" hold="$((cnt % ban_cores))" [ "${hold}" = "0" ] && wait - cnt="$((cnt + 1))" fi done wait diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi index 975e3c5b26acc7..5aa4dd4569209e 100644 --- a/net/banip/files/banip.cgi +++ b/net/banip/files/banip.cgi @@ -1,6 +1,6 @@ #!/bin/sh # banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 5d7b34653275bb..28e24accc17126 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -4,6 +4,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "adaway IPs", "flag": "tcp 80 443" }, @@ -12,6 +13,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "adguard IPs", "flag": "tcp 80 443" }, @@ -20,6 +22,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "adguardtracker IPs", "flag": "tcp 80 443" }, @@ -28,6 +31,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "antipopads IPs", "flag": "tcp 80 443" }, @@ -36,11 +40,13 @@ "url_6": "https://asn.ipinfo.app/api/text/list/", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "ASN IP segments" }, "backscatterer":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "backscatterer IPs", "flag": "gz" }, @@ -49,11 +55,13 @@ "url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "malicious attacker IPs" }, "binarydefense":{ "url_4": "https://iplists.firehol.org/files/bds_atif.ipset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "binary defense banlist" }, "bogon":{ @@ -61,16 +69,19 @@ "url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "bogon prefixes" }, "bruteforceblock":{ "url_4": "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "bruteforceblocker IPs" }, "cinsscore":{ "url_4": "https://cinsscore.com/list/ci-badguys.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "suspicious attacker IPs" }, "country":{ @@ -78,6 +89,7 @@ "url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "country blocks" }, "debl":{ @@ -85,6 +97,7 @@ "url_6": "https://lists.blocklist.de/lists/all.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "fail2ban IP blocklist" }, "doh":{ @@ -92,6 +105,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "public DoH-Provider", "flag": "tcp 80 443" }, @@ -100,67 +114,80 @@ "url_6": "https://www.spamhaus.org/drop/dropv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "spamhaus drop compilation" }, "dshield":{ "url_4": "https://feeds.dshield.org/block.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}", + "chain": "in", "descr": "dshield IP blocklist" }, "etcompromised":{ "url_4": "https://iplists.firehol.org/files/et_compromised.ipset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "ET compromised hosts" }, "feodo":{ "url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "feodo tracker" }, "firehol1":{ "url_4": "https://iplists.firehol.org/files/firehol_level1.netset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "firehol level 1 compilation" }, "firehol2":{ "url_4": "https://iplists.firehol.org/files/firehol_level2.netset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "firehol level 2 compilation" }, "firehol3":{ "url_4": "https://iplists.firehol.org/files/firehol_level3.netset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "firehol level 3 compilation" }, "firehol4":{ "url_4": "https://iplists.firehol.org/files/firehol_level4.netset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}", + "chain": "in", "descr": "firehol level 4 compilation" }, "greensnow":{ "url_4": "https://blocklist.greensnow.co/greensnow.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "suspicious server IPs" }, "hagezi":{ "url_4": "https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/ips/tif.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "Threat IP blocklist", "flag": "tcp 80 443" }, "ipblackhole":{ "url_4": "https://blackhole.s-e-r-v-e-r.pw/blackhole-today", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "blackhole IP blocklist" }, "ipsum":{ "url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "malicious IPs" }, "ipthreat":{ "url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "hacker and botnet IPs", "flag": "gz" }, @@ -169,11 +196,13 @@ "url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "real-time IP blocklist" }, "nixspam":{ "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", "rule_4": "/127\\./{next}/(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", + "chain": "in", "descr": "iX spam protection", "flag": "gz" }, @@ -182,6 +211,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "OISD-big IPs", "flag": "tcp 80 443" }, @@ -190,6 +220,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "OISD-nsfw IPs", "flag": "tcp 80 443" }, @@ -198,40 +229,41 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "OISD-small IPs", "flag": "tcp 80 443" }, "pallebone":{ "url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "curated IP blocklist" }, "proxy":{ "url_4": "https://iplists.firehol.org/files/proxylists.ipset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "open proxies" }, - "sslbl":{ - "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "rule_4": "BEGIN{FS=\",\"}/127\\./{next}/(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", - "descr": "SSL botnet IPs" - }, "stevenblack":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "stevenblack IPs", "flag": "tcp 80 443" }, "threat":{ "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "emerging threats" }, "threatview":{ "url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "malicious IPs" }, "tor":{ @@ -239,49 +271,70 @@ "url_6": "https://www.dan.me.uk/torlist/?exit", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "tor exit nodes" }, "turris":{ "url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv", "rule_4":"BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}", + "chain": "in", "descr":"turris sentinel blocklist" }, "uceprotect1":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "spam protection level 1", "flag": "gz" }, "uceprotect2":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "spam protection level 2", "flag": "gz" }, "uceprotect3":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "spam protection level 3", "flag": "gz" }, "urlhaus":{ "url_4": "https://urlhaus.abuse.ch/downloads/ids/", "rule_4": "BEGIN{FS=\";\"}/content:\"127\\./{next}/(content:\"([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\")/{printf \"%s,\\n\",substr($10,11,length($10)-11)}", + "chain": "in", "descr": "urlhaus IDS IPs" }, "urlvir":{ "url_4": "https://iplists.firehol.org/files/urlvir.ipset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "malware related IPs" }, "voip":{ "url_4": "https://voipbl.org/update/", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "VoIP fraud blocklist" }, + "vpn":{ + "url_4": "https://raw.githubusercontent.com/X4BNet/lists_vpn/refs/heads/main/output/vpn/ipv4.txt", + "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", + "descr": "vpn IPs" + }, + "vpndc":{ + "url_4": "https://raw.githubusercontent.com/X4BNet/lists_vpn/refs/heads/main/output/datacenter/ipv4.txt", + "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", + "descr": "vpn datacenter IPs" + }, "webclient":{ "url_4": "https://iplists.firehol.org/files/firehol_webclient.netset", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "chain": "in", "descr": "malware related IPs" }, "yoyo":{ @@ -289,6 +342,7 @@ "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "chain": "out", "descr": "yoyo IPs", "flag": "tcp 80 443" } diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index acf2ffd064180a..205df62c2a3fc2 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -1,6 +1,6 @@ #!/bin/sh /etc/rc.common # banIP init script - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index 924ffe0b68a418..284901538e7270 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -1,5 +1,5 @@ # banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2025 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # info preparation diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index e2302c06a8a765..bce0c74e068963 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2024.12.2 +PKG_VERSION:=2025.1.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=48b9c54d79419d0489baadb8cb54d5196e0ff17650fb9eff81de02989fa8b009 +PKG_HASH:=f9223cdefaa4b75aa1c49638936af9d5007b6c7bd943ab70203bb75bf32467da PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/net/ddns-scripts/Makefile b/net/ddns-scripts/Makefile index 62a110955c4cbe..55db7fb63578bc 100644 --- a/net/ddns-scripts/Makefile +++ b/net/ddns-scripts/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ddns-scripts PKG_VERSION:=2.8.2 -PKG_RELEASE:=53 +PKG_RELEASE:=56 PKG_LICENSE:=GPL-2.0 @@ -155,6 +155,17 @@ define Package/ddns-scripts-dnspod/description endef +define Package/ddns-scripts-dnspod-v3 + $(call Package/ddns-scripts/Default) + TITLE:=Extension for dnspod.tencentcloudapi.com (aka: dnspod.cn) API v3 + DEPENDS:=ddns-scripts +curl +openssl-util +endef + +define Package/ddns-scripts-dnspod-v3/description + Dynamic DNS Client scripts extension for dnspod.tencentcloudapi.com API v3 (require curl) +endef + + define Package/ddns-scripts-noip $(call Package/ddns-scripts/Default) TITLE:=Extension for no-ip.com @@ -385,6 +396,7 @@ define Package/ddns-scripts-services/install rm $(1)/usr/share/ddns/default/godaddy.com-v1.json rm $(1)/usr/share/ddns/default/digitalocean.com-v2.json rm $(1)/usr/share/ddns/default/dnspod.cn.json + rm $(1)/usr/share/ddns/default/dnspod.cn-v3.json rm $(1)/usr/share/ddns/default/no-ip.com.json rm $(1)/usr/share/ddns/default/bind-nsupdate.json rm $(1)/usr/share/ddns/default/route53-v1.json @@ -541,6 +553,25 @@ exit 0 endef +define Package/ddns-scripts-dnspod-v3/install + $(INSTALL_DIR) $(1)/usr/lib/ddns + $(INSTALL_BIN) ./files/usr/lib/ddns/update_dnspod_cn_v3.sh \ + $(1)/usr/lib/ddns + + $(INSTALL_DIR) $(1)/usr/share/ddns/default + $(INSTALL_DATA) ./files/usr/share/ddns/default/dnspod.cn-v3.json \ + $(1)/usr/share/ddns/default/ +endef + +define Package/ddns-scripts-dnspod-v3/prerm +#!/bin/sh +if [ -z "$${IPKG_INSTROOT}" ]; then + /etc/init.d/ddns stop +fi +exit 0 +endef + + define Package/ddns-scripts-noip/install $(INSTALL_DIR) $(1)/usr/lib/ddns $(INSTALL_BIN) ./files/usr/lib/ddns/update_no-ip_com.sh \ @@ -760,6 +791,7 @@ $(eval $(call BuildPackage,ddns-scripts-freedns)) $(eval $(call BuildPackage,ddns-scripts-godaddy)) $(eval $(call BuildPackage,ddns-scripts-digitalocean)) $(eval $(call BuildPackage,ddns-scripts-dnspod)) +$(eval $(call BuildPackage,ddns-scripts-dnspod-v3)) $(eval $(call BuildPackage,ddns-scripts-noip)) $(eval $(call BuildPackage,ddns-scripts-nsupdate)) $(eval $(call BuildPackage,ddns-scripts-route53)) diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh b/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh index 4fb3a0dd6b888f..f9f6876a1e5547 100644 --- a/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh +++ b/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh @@ -27,9 +27,8 @@ [ $use_https -eq 0 ] && use_https=1 # force HTTPS # used variables -local __HOST __DOMAIN __TYPE __URLBASE __PRGBASE __RUNPROG __DATA __IPV6 __ZONEID __RECID __PROXIED +local __HOST __DOMAIN __TYPE __URLBASE __PRGBASE __RUNPROG __DATA __IPV6 __ZONEID __RECID local __URLBASE="https://api.cloudflare.com/client/v4" -local __TTL=120 # split __HOST __DOMAIN from $domain # given data: @@ -186,16 +185,14 @@ __DATA=$(grep -o '"content":\s*"[^"]*' $DATFILE | grep -o '[^"]*$' | head -1) # update is needed # let's build data to send -# set proxied parameter -__PROXIED=$(grep -o '"proxied":\s*[^",]*' $DATFILE | grep -o '[^:]*$') # use file to work around " needed for json cat > $DATFILE << EOF -{"id":"$__ZONEID","type":"$__TYPE","name":"$__HOST","content":"$__IP","ttl":$__TTL,"proxied":$__PROXIED} +{"content":"$__IP"} EOF # let's complete transfer command -__RUNPROG="$__PRGBASE --request PUT --data @$DATFILE '$__URLBASE/zones/$__ZONEID/dns_records/$__RECID'" +__RUNPROG="$__PRGBASE --request PATCH --data @$DATFILE '$__URLBASE/zones/$__ZONEID/dns_records/$__RECID'" cloudflare_transfer || return 1 return 0 diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_dnspod_cn_v3.sh b/net/ddns-scripts/files/usr/lib/ddns/update_dnspod_cn_v3.sh new file mode 100644 index 00000000000000..fd7124cd4c3209 --- /dev/null +++ b/net/ddns-scripts/files/usr/lib/ddns/update_dnspod_cn_v3.sh @@ -0,0 +1,345 @@ +#!/bin/sh +# +# Script for sending updates to cloud.tencent.com, modified based on +# "update_cloudflare_com_v4.sh" and "update_dnspod_cn.sh". +# +# You can found them from: +# - github.com/openwrt/packages for "update_cloudflare_com_v4.sh" +# - at: net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh +# - github.com/nixonli/ddns-scripts_dnspod for "update_dnspod_cn.sh" +# +# 2024 FriesI23 +# +# API documentation at https://cloud.tencent.com/document/api/1427/84627 +# API signature documentation at https://cloud.tencent.com/document/api/1427/56189 +# +# This script is parsed by dynamic_dns_functions.sh inside send_update() function +# +# using following options from /etc/config/ddns +# you can get your own secret values from console.cloud.tencent.com/cam/capi +# option username - api secretId +# option password - api secretKey +# option domain - "hostname@yourdomain.TLD" +# option record_id - record id for special record +# +# variable __IP already defined with the ip-address to use for update +# + +local OPENSSL=$(command -v openssl) + +# check parameters +[ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing key as 'username'" +[ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing secret as 'password'" +[ -z "$CURL_SSL" ] && write_log 13 "Dnspod communication require cURL with SSL support. Please install" +[ -z "$OPENSSL" ] && write_log 13 "Dnspod communication require openssl. Please install" +[ $use_https -eq 0 ] && use_https=1 + +# variables +local __HOST __DOMAIN __TYPE +local __RUNPROG +local __RECID __RECLINE __DATA __IPV6 +local __URLHOST="dnspod.tencentcloudapi.com" +local __URLBASE="https://$__URLHOST" +local __METHOD="POST" +local __CONTENT_TYPE="application/json" + +# split __HOST __DOMAIN from $domain +# given data: +# @example.com for "domain record" +# host.sub@example.com for a "host record" +__HOST=$(printf %s "$domain" | cut -d@ -f1) +__DOMAIN=$(printf %s "$domain" | cut -d@ -f2) + +# set record type +[ $use_ipv6 -eq 0 ] && __TYPE="A" || __TYPE="AAAA" + +tencentcloud_transfer() { + local __CNT=0 + local __ERR __CODE + + while :; do + write_log 7 "#> $__RUNPROG" + eval "$__RUNPROG" + __ERR=$? # save communication error + + if [ $__ERR -eq 0 ]; then + if grep -q '"Error"' "$DATFILE"; then + __CODE=$(grep -o '"Code":\s*"[^"]*' $DATFILE | grep -o '[^"]*$' | head -1) + [[ $__CODE == "ResourceNotFound.NoDataOfRecord" ]] && break + write_log 3 "cURL Response Error: '$__CODE'" + write_log 7 "$(cat $DATFILE)" # report error + else + break + fi + else + write_log 3 "cURL Error: '$__ERR'" + write_log 7 "$(cat $ERRFILE)" # report error + fi + + [ $VERBOSE -gt 1 ] && { + # VERBOSE > 1 then NO retry + write_log 4 "Transfer failed - Verbose Mode: $VERBOSE - NO retry on error" + break + } + + __CNT=$(($__CNT + 1)) # increment error counter + # if error count > retry_count leave here + [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && + write_log 14 "Transfer failed after $retry_count retries" + + write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + sleep $RETRY_SECONDS & + PID_SLEEP=$! + wait $PID_SLEEP # enable trap-handler + PID_SLEEP=0 + done + + # check for error + if grep -q '"Error":' $DATFILE; then + __CODE=$(grep -o '"Code":\s*"[^"]*' $DATFILE | grep -o '[^"]*$' | head -1) + [[ $__CODE == "ResourceNotFound.NoDataOfRecord" ]] && return 0 + write_log 4 "TecentCloud reported an error:" + write_log 7 "$(cat $DATFILE)" # report error + return 1 + fi + + return 0 +} + +# Build base command to use +__PRGBASE="$CURL -RsS -o $DATFILE --stderr $ERRFILE" + +# force network/interface-device to use for communication +if [ -n "$bind_network" ]; then + local __DEVICE + network_get_physdev __DEVICE $bind_network || + write_log 13 "Can not detect local device using 'network_get_physdev $bind_network' - Error: '$?'" + write_log 7 "Force communication via device '$__DEVICE'" + __PRGBASE="$__PRGBASE --interface $__DEVICE" +fi + +# force ip version to use +if [ $force_ipversion -eq 1 ]; then + [ $use_ipv6 -eq 0 ] && __PRGBASE="$__PRGBASE -4" || __PRGBASE="$__PRGBASE -6" # force IPv4/IPv6 +fi + +# set certificate parameters +if [ "$cacert" = "IGNORE" ]; then # idea from Ticket #15327 to ignore server cert + __PRGBASE="$__PRGBASE --insecure" # but not empty better to use "IGNORE" +elif [ -f "$cacert" ]; then + __PRGBASE="$__PRGBASE --cacert $cacert" +elif [ -d "$cacert" ]; then + __PRGBASE="$__PRGBASE --capath $cacert" +elif [ -n "$cacert" ]; then # it's not a file and not a directory but given + write_log 14 "No valid certificate(s) found at '$cacert' for HTTPS communication" +fi + +# disable proxy if not set (there might be .wgetrc or .curlrc or wrong environment set) +# or check if libcurl compiled with proxy support +if [ -z "$proxy" ]; then + __PRGBASE="$__PRGBASE --noproxy '*'" +elif [ -z "$CURL_PROXY" ]; then + # if libcurl has no proxy support and proxy should be used then force ERROR + write_log 13 "cURL: libcurl compiled without Proxy support" +fi + +# Signature Method v3 +# get more information from github.com/TencentCloud/signature-process-demo, +# at signature-v3/bash/signv3_no_xdd.sh +# usage: build_authorization +build_authorization() { + local __SECRET_ID=$username + local __SECRET_KEY=$password + + local __SERVICE=$(printf %s "$__URLHOST" | cut -d '.' -f1) + local __REGION="" + local __ACTION=$1 + local __VERSION=$2 + local __ALGORITHM="TC3-HMAC-SHA256" + local __TIMESTAMP=$3 + local __DATE=$(date -u -d @$__TIMESTAMP +"%Y-%m-%d") + local __PAYLOAD=$4 + + # Step 1: Concatenate request string + local __CANONICAL_URI="/" + local __CANONICAL_QUERYSTRING="" + local __CANONICAL_HEADERS=$( + cat < +build_header() { + local __ACTION=$1 + local __VERSION=$2 + local __TIMESTAMP=$(date +%s) + local __PAYLOAD=$3 + + local __AUTHORIZATION=$(build_authorization $__ACTION $__VERSION $__TIMESTAMP $__PAYLOAD) + + printf '%s' "--header 'HOST: $__URLHOST' " + printf '%s' "--header 'Content-Type: $__CONTENT_TYPE' " + printf '%s' "--header 'X-TC-Action: $__ACTION' " + printf '%s' "--header 'X-TC-Version: $__VERSION' " + printf '%s' "--header 'X-TC-Timestamp: $__TIMESTAMP' " + printf '%s' "--header 'Authorization: $__AUTHORIZATION' " +} + +# API: DescribeRecordList。 +# https://cloud.tencent.com/document/api/1427/56166 +build_describe_record_list_request_param() { + local __PAYLOAD="{\"Domain\":\"$__DOMAIN\"" + __PAYLOAD="$__PAYLOAD,\"Offset\":0" + __PAYLOAD="$__PAYLOAD,\"Limit\":1" + __PAYLOAD="$__PAYLOAD,\"RecordType\":\"$__TYPE\"" + if [[ -n "$__HOST" ]]; then + __PAYLOAD="$__PAYLOAD,\"Subdomain\":\"$__HOST\"" + fi + __PAYLOAD="$__PAYLOAD}" + + printf '%s' "--request POST " + printf '%s' "$__URLBASE " + printf '%s' "--data '$__PAYLOAD' " + build_header "DescribeRecordList" "2021-03-23" $__PAYLOAD +} + +# API: CreateRecord +# https://cloud.tencent.com/document/api/1427/56180 +build_create_record_request_param() { + local __VALUE=$1 + local __RECLINE=${2:-默认} + + local __PAYLOAD="{\"Domain\":\"$__DOMAIN\"" + __PAYLOAD="$__PAYLOAD,\"RecordType\":\"$__TYPE\"" + __PAYLOAD="$__PAYLOAD,\"RecordLine\":\"$__RECLINE\"" + __PAYLOAD="$__PAYLOAD,\"Value\":\"$__VALUE\"" + if [[ -n "$__HOST" ]]; then + __PAYLOAD="$__PAYLOAD,\"SubDomain\":\"$__HOST\"" + fi + __PAYLOAD="$__PAYLOAD}" + + printf '%s' "--request POST " + printf '%s' "$__URLBASE " + printf '%s' "--data '$__PAYLOAD' " + build_header "CreateRecord" "2021-03-23" $__PAYLOAD +} + +# API: ModifyRecord +# https://cloud.tencent.com/document/api/1427/56157 +build_modify_record_request_param() { + local __VALUE=$1 + local __RECLINE=${2:-默认} + local __RECID=$3 + + local __PAYLOAD="{\"Domain\":\"$__DOMAIN\"" + __PAYLOAD="$__PAYLOAD,\"RecordType\":\"$__TYPE\"" + __PAYLOAD="$__PAYLOAD,\"RecordLine\":\"$__RECLINE\"" + __PAYLOAD="$__PAYLOAD,\"RecordId\":$__RECID" + __PAYLOAD="$__PAYLOAD,\"Value\":\"$__VALUE\"" + if [[ -n "$__HOST" ]]; then + __PAYLOAD="$__PAYLOAD,\"SubDomain\":\"$__HOST\"" + fi + __PAYLOAD="$__PAYLOAD}" + + printf '%s' "--request POST " + printf '%s' "$__URLBASE " + printf '%s' "--data '$__PAYLOAD' " + build_header "ModifyRecord" "2021-03-23" $__PAYLOAD +} + +if [ -n "$record_id" ]; then + __RECID="$record_id" +else + # read record id for A or AAAA record of host.domain.TLD + __RUNPROG="$__PRGBASE $(build_describe_record_list_request_param)" + # extract zone id + tencentcloud_transfer || return 1 + __RECID=$(grep -o '"RecordId":[[:space:]]*[0-9]*' $DATFILE | grep -o '[0-9]*' | head -1) +fi + +[ $VERBOSE -gt 1 ] && write_log 7 "Got record id: $__RECID" + +# extract current stored IP +__RECLINE=$(grep -o '"Line":\s*"[^"]*' $DATFILE | grep -o '[^"]*$' | head -1) +__DATA=$(grep -o '"Value":\s*"[^"]*' $DATFILE | grep -o '[^"]*$' | head -1) + +# check data +[ $use_ipv6 -eq 0 ] && + __DATA=$(printf "%s" "$__DATA" | grep -m 1 -o "$IPV4_REGEX") || + __DATA=$(printf "%s" "$__DATA" | grep -m 1 -o "$IPV6_REGEX") + +# we got data so verify +[ -n "$__DATA" ] && { + # expand IPv6 for compare + if [ $use_ipv6 -eq 1 ]; then + expand_ipv6 $__IP __IPV6 + expand_ipv6 $__DATA __DATA + [ "$__DATA" = "$__IPV6" ] && { # IPv6 no update needed + write_log 7 "IPv6 at cloud.tencent.com already up to date" + return 0 + } + else + [ "$__DATA" = "$__IP" ] && { # IPv4 no update needed + write_log 7 "IPv4 at cloud.tencent.com already up to date" + return 0 + } + fi +} + +if [ -z "$__RECID" ]; then + # create new record if record id not found + __RUNPROG="$__PRGBASE $(build_create_record_request_param $__IP $__RECLINE)" + tencentcloud_transfer || return 1 + return 0 +fi + +__RUNPROG="$__PRGBASE $(build_modify_record_request_param $__IP $__RECLINE $__RECID)" +tencentcloud_transfer || return 1 +return diff --git a/net/ddns-scripts/files/usr/share/ddns/default/dnspod.cn-v3.json b/net/ddns-scripts/files/usr/share/ddns/default/dnspod.cn-v3.json new file mode 100644 index 00000000000000..c3d6ba616f44a8 --- /dev/null +++ b/net/ddns-scripts/files/usr/share/ddns/default/dnspod.cn-v3.json @@ -0,0 +1,9 @@ +{ + "name": "dnspod.cn-v3", + "ipv4": { + "url": "update_dnspod_cn_v3.sh" + }, + "ipv6": { + "url": "update_dnspod_cn_v3.sh" + } +} diff --git a/net/ddns-scripts/files/usr/share/ddns/default/ipv64.net.json b/net/ddns-scripts/files/usr/share/ddns/default/ipv64.net.json new file mode 100644 index 00000000000000..dfd5c5180c7ba4 --- /dev/null +++ b/net/ddns-scripts/files/usr/share/ddns/default/ipv64.net.json @@ -0,0 +1,11 @@ +{ + "name": "ipv64.net", + "ipv4": { + "url": "http://ipv64.net/nic/update?domain=[DOMAIN]&key=[PASSWORD]&ip=[IP]", + "answer": "good|nochg" + }, + "ipv6": { + "url": "http://ipv64.net/nic/update?domain=[DOMAIN]&key=[PASSWORD]&ipv6=[IP]", + "answer": "good|nochg" + } +} diff --git a/net/ddns-scripts/files/usr/share/ddns/list b/net/ddns-scripts/files/usr/share/ddns/list index 9373aeed035116..af126ef88021a8 100644 --- a/net/ddns-scripts/files/usr/share/ddns/list +++ b/net/ddns-scripts/files/usr/share/ddns/list @@ -35,6 +35,7 @@ he.net hosting.de infomaniak.com ipnodns.ru +ipv64.net inwx.de joker.com loopia.se diff --git a/net/iperf3/Makefile b/net/iperf3/Makefile index 45d4721bf28866..a5fe604506a3c2 100644 --- a/net/iperf3/Makefile +++ b/net/iperf3/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=iperf -PKG_VERSION:=3.17.1 -PKG_RELEASE:=4 +PKG_VERSION:=3.18 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.es.net/pub/iperf -PKG_HASH:=84404ca8431b595e86c473d8f23d8bb102810001f15feaf610effd3b318788aa +PKG_HASH:=c0618175514331e766522500e20c94bfb293b4424eb27d7207fb427b88d20bab PKG_MAINTAINER:=Felix Fietkau PKG_LICENSE:=BSD-3-Clause diff --git a/net/iperf3/patches/020-big-endian.patch b/net/iperf3/patches/010-big-endian.patch similarity index 94% rename from net/iperf3/patches/020-big-endian.patch rename to net/iperf3/patches/010-big-endian.patch index 35490c9dec8338..f57ef51a4af4e9 100644 --- a/net/iperf3/patches/020-big-endian.patch +++ b/net/iperf3/patches/010-big-endian.patch @@ -10,7 +10,7 @@ iperf_printf is using an int format here but an int64_t variable. The format onl --- a/src/iperf_api.c +++ b/src/iperf_api.c -@@ -4056,7 +4056,7 @@ iperf_print_results(struct iperf_test *t +@@ -4137,7 +4137,7 @@ iperf_print_results(struct iperf_test *t iperf_printf(test, report_sender_not_available_summary_format, "SUM"); } else { diff --git a/net/iperf3/patches/010-y2k.patch b/net/iperf3/patches/010-y2k.patch deleted file mode 100644 index 86350d1ad81851..00000000000000 --- a/net/iperf3/patches/010-y2k.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 4c7629f590bb18855e478a826833adb05d2a128b Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Sat, 8 Jun 2024 15:35:47 -0700 -Subject: [PATCH] fix -Wformat-y2k error - -%c potentially prints a 2 digit year. Just use a normal format. ---- - src/iperf_error.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/src/iperf_error.c -+++ b/src/iperf_error.c -@@ -99,7 +99,7 @@ iperf_errexit(struct iperf_test *test, c - if (test != NULL && test->timestamps) { - time(&now); - ltm = localtime(&now); -- strftime(iperf_timestrerr, sizeof(iperf_timestrerr), "%c ", ltm); -+ strftime(iperf_timestrerr, sizeof(iperf_timestrerr), "%Y-%m-%d %H:%M:%S", ltm); - ct = iperf_timestrerr; - } - diff --git a/net/iperf3/patches/030-musl-crash.patch b/net/iperf3/patches/030-musl-crash.patch deleted file mode 100644 index bc1df68c8ef7d8..00000000000000 --- a/net/iperf3/patches/030-musl-crash.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 3da07ae96f5b40f76b75e1ccd4b20267f6a5988e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jakub=20Kul=C3=ADk?= -Date: Wed, 28 Aug 2024 09:43:04 +0200 -Subject: [PATCH] remove incorrect freeaddrinfo call - ---- - src/net.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/src/net.c -+++ b/src/net.c -@@ -145,7 +145,6 @@ create_socket(int domain, int proto, con - if ((gerror = getaddrinfo(server, portstr, &hints, &server_res)) != 0) { - if (local) - freeaddrinfo(local_res); -- freeaddrinfo(server_res); - return -1; - } - diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index ae8abaf6b3a01c..4ce56b0fcd6d8e 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.76 -PKG_RELEASE:=2 +PKG_VERSION:=1.4.77 +PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011 +PKG_HASH:=acafabdbfa2267d8b6452d03d85fdd2a66525f3f05a36a79b6645c017f1562ce PKG_MAINTAINER:=Glenn Strauss PKG_LICENSE:=BSD-3-Clause diff --git a/net/lighttpd/files/lighttpd.init b/net/lighttpd/files/lighttpd.init index ffaae34a21e0ae..33443005eef00d 100644 --- a/net/lighttpd/files/lighttpd.init +++ b/net/lighttpd/files/lighttpd.init @@ -26,6 +26,7 @@ start_service() { validate_conf || exit 1 procd_open_instance + procd_set_param reload_signal USR1 procd_set_param command $PROG -D -f /etc/lighttpd/lighttpd.conf procd_close_instance } @@ -33,6 +34,7 @@ start_service() { service_triggers() { procd_add_reload_interface_trigger loopback procd_add_reload_interface_trigger lan + procd_add_raw_trigger acme.renew 5000 /etc/init.d/lighttpd reload } reload_service() { diff --git a/net/lighttpd/patches/020-meson-mod_webdav_min.patch b/net/lighttpd/patches/020-meson-mod_webdav_min.patch index 9ee188110287d6..fc7b155382c552 100644 --- a/net/lighttpd/patches/020-meson-mod_webdav_min.patch +++ b/net/lighttpd/patches/020-meson-mod_webdav_min.patch @@ -9,7 +9,7 @@ Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid --- a/src/meson.build +++ b/src/meson.build -@@ -871,6 +871,16 @@ if (host_machine.system() == 'darwin') +@@ -887,6 +887,16 @@ if (host_machine.system() == 'darwin') plugin_suffix = 'so' # use "so" instead of "dylib" endif diff --git a/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch b/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch deleted file mode 100644 index 845f23adcef1d2..00000000000000 --- a/net/lighttpd/patches/030-sys-crypto.h-add-support-for-OpenSSL-as-crypto-libra.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20=C5=A0tetiar?= -Date: Sat, 4 May 2024 06:33:16 +0000 -Subject: [PATCH] sys-crypto.h: add support for OpenSSL as crypto library -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Each TLS module in lighttpd is built to utilize its corresponding TLS -library. For example, lighttpd's mod_openssl module utilizes OpenSSL, -and its mod_mbedtls module uses mbedTLS. - -Separately, the core lighttpd application may employ cryptographic -functions. For efficiency and portability, if lighttpd is compiled with -Nettle, it becomes the default cryptographic library for the base -application. However, each TLS module within lighttpd still relies on -its respective TLS library. - -In scenarios where lighttpd is configured with only one TLS library and -without Nettle, the base application adopts the cryptographic functions -from that specific TLS library. - -When preparing for Linux distributions, lighttpd might be built with -several TLS modules, where each module uses its designated TLS library. -Presently, lighttpd does not offer a distinct, dedicated option to -select the cryptographic library for the base application. - -In contexts like embedded systems, where a single TLS library might be -utilized across the entire base system, specific configurations allow -the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled -with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively. - -To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO -define, enabling lighttpd to also use OpenSSL as an additional -cryptographic library, akin to the existing support for mbedTLS and -wolfSSL. - - -Suggested-by: Glenn Strauss -Signed-off-by: Petr Štetiar ---- - src/sys-crypto.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - ---- a/src/sys-crypto.h -+++ b/src/sys-crypto.h -@@ -60,4 +60,24 @@ - #endif - #endif - -+#ifdef USE_OPENSSL_CRYPTO -+#ifdef FORCE_OPENSSL_CRYPTO -+#undef USE_GNUTLS_CRYPTO -+#undef USE_MBEDTLS_CRYPTO -+#undef USE_NETTLE_CRYPTO -+#undef USE_NSS_CRYPTO -+#undef USE_WOLFSSL_CRYPTO -+#endif -+#endif -+ -+#ifdef USE_GNUTLS_CRYPTO -+#ifdef FORCE_GNUTLS_CRYPTO -+#undef USE_MBEDTLS_CRYPTO -+#undef USE_NETTLE_CRYPTO -+#undef USE_NSS_CRYPTO -+#undef USE_OPENSSL_CRYPTO -+#undef USE_WOLFSSL_CRYPTO -+#endif -+#endif -+ - #endif diff --git a/net/nextdns/Makefile b/net/nextdns/Makefile index 9109b87214af34..845d1307d25d94 100644 --- a/net/nextdns/Makefile +++ b/net/nextdns/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nextdns -PKG_VERSION:=1.44.3 +PKG_VERSION:=1.44.4 PKG_RELEASE:=1 PKG_SOURCE:=nextdns-$(PKG_VERSION).tar.gz PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_SOURCE_URL:=https://codeload.github.com/nextdns/nextdns/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=ac77f24eb0bded216b57a82ca93960547c07561080df3fc20d1b363e38b7f3af +PKG_HASH:=00060ddffa669bf67b468dc5fc1a583e96b95d8858b18fb9ee05b60209bdbf2a PKG_MAINTAINER:=Olivier Poitrey PKG_LICENSE:=MIT diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index cada430072d66a..c7026ad2b8895a 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.6.12 +PKG_VERSION:=2.6.13 PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_HASH:=1c610fddeb686e34f1367c347e027e418e07523a10f4d8ce4a2c2af2f61a1929 +PKG_HASH:=1af10b86922bd7c99827cc0f151dfe9684337b8e5ebdb397539172841ac24a6a PKG_MAINTAINER:= diff --git a/net/rsync/Makefile b/net/rsync/Makefile index 723eaa348f2ed5..4fd7185f8b733a 100644 --- a/net/rsync/Makefile +++ b/net/rsync/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rsync -PKG_VERSION:=3.3.0 -PKG_RELEASE:=2 +PKG_VERSION:=3.4.1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src -PKG_HASH:=7399e9a6708c32d678a72a63219e96f23be0be2336e50fd1348498d07041df90 +PKG_HASH:=2924bcb3a1ed8b551fc101f740b9f0fe0a202b115027647cf69850d65fd88c52 PKG_MAINTAINER:=Maxim Storchak PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index 98ef41a6f622fe..3326ac0a93dfaa 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.9.7 +PKG_VERSION:=1.10.7 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=5b015352f3434bb780af01a6b1f6c0fe706166d6c44a69547e29892f0920b944 +PKG_HASH:=402b618148b58f5ff6c1bee4f4fdcf7cdcb88a2df6a8bd682ea742a89b5be9ec PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE diff --git a/net/transmission/Makefile b/net/transmission/Makefile index 9b0fed9354e594..f4ee60ea6a6cb6 100644 --- a/net/transmission/Makefile +++ b/net/transmission/Makefile @@ -21,7 +21,7 @@ PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:transmissionbt:transmission PKG_INSTALL:=1 -PKG_BUILD_DEPENDS:=libb64 node/host +PKG_BUILD_DEPENDS:=libb64 PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=gc-sections lto PKG_CONFIG_DEPENDS:= \ diff --git a/net/trojan-go/Makefile b/net/trojan-go/Makefile deleted file mode 100644 index 37072332c1ebef..00000000000000 --- a/net/trojan-go/Makefile +++ /dev/null @@ -1,48 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0-only -# -# Copyright (C) 2021 ImmortalWrt.org - -include $(TOPDIR)/rules.mk - -PKG_NAME:=trojan-go -PKG_VERSION:=0.10.6 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/p4gefau1t/trojan-go/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=925f02647dda944813f1eab0b71eac98b83eb5964ef5a6f63e89bc7eb4486c1f - -PKG_LICENSE:=GPL-3.0-only -PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Tianling Shen - -PKG_BUILD_DEPENDS:=golang/host -PKG_BUILD_PARALLEL:=1 -PKG_BUILD_FLAGS:=no-mips16 - -GO_PKG:=github.com/p4gefau1t/trojan-go -GO_PKG_BUILD_PKG:=$(GO_PKG) -GO_PKG_LDFLAGS_X:= \ - $(GO_PKG)/constant.Version=$(PKG_VERSION) \ - $(GO_PKG)/constant.Commit=v$(PKG_VERSION) -GO_PKG_TAGS:=full - -include $(INCLUDE_DIR)/package.mk -include ../../lang/golang/golang-package.mk - -define Package/trojan-go - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=A Trojan proxy written in Go - DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle - URL:=https://p4gefau1t.github.io/trojan-go/ -endef - -define Package/trojan-go/description - Trojan features multiple protocols over TLS to avoid both - active/passive detections and ISP QoS limitations. -endef - -$(eval $(call GoBinPackage,trojan-go)) -$(eval $(call BuildPackage,trojan-go)) diff --git a/net/trojan-go/test.sh b/net/trojan-go/test.sh deleted file mode 100644 index 69f3f6b855ec4b..00000000000000 --- a/net/trojan-go/test.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -trojan-go -version | grep "$PKG_VERSION" diff --git a/net/v2ray-core/Makefile b/net/v2ray-core/Makefile index b9c55b5c8f9d53..ac701e048dddbb 100644 --- a/net/v2ray-core/Makefile +++ b/net/v2ray-core/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=v2ray-core -PKG_VERSION:=5.22.0 +PKG_VERSION:=5.24.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=df25a873c8f7fb30f44cb6d26b18db264dfa209df5aeb6116fc43df7157fb4b8 +PKG_HASH:=1b434135924f324dc3f6cf415b9109596a7b356ffcb7948b4e206b50a5e41a88 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE diff --git a/net/vsftpd/Makefile b/net/vsftpd/Makefile index b4ffe3bc01932c..cdabf6061af445 100644 --- a/net/vsftpd/Makefile +++ b/net/vsftpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=vsftpd PKG_VERSION:=3.0.5 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://security.appspot.com/downloads/ @@ -46,6 +46,7 @@ endef define Package/vsftpd/conffiles /etc/vsftpd.conf /etc/vsftpd +/etc/config/vsftpd endef Package/vsftpd-tls/conffiles=$(Package/vsftpd/conffiles) diff --git a/net/vsftpd/files/vsftpd.init b/net/vsftpd/files/vsftpd.init index 610253d194576d..e905bb74d11b1c 100644 --- a/net/vsftpd/files/vsftpd.init +++ b/net/vsftpd/files/vsftpd.init @@ -3,12 +3,13 @@ START=50 USE_PROCD=1 -BIN=vsftpd +BIN="/usr/sbin/vsftpd" . /lib/functions.sh PORT=21 OUTPUT_CONF="/var/etc/vsftpd.conf" +readonly DEFAULT_SECURE_CHROOT="/var/run/vsftpd" readonly TEMP_OUTPUT_CONF="/var/etc/vsftpd.conf.tmp" write_conf() { @@ -74,6 +75,7 @@ setup_vsftpd() { return 1 fi + # Clean up rm -rf "$TEMP_OUTPUT_CONF" # Clear temporary file touch "$TEMP_OUTPUT_CONF" @@ -108,10 +110,16 @@ setup_vsftpd() { [ -n "$local_root" ] && write_conf "local_root" "$local_root" [ -n "$rsa_cert_file" ] && write_conf "rsa_cert_file" "$rsa_cert_file" [ -n "$rsa_private_key_file" ] && write_conf "rsa_private_key_file" "$rsa_private_key_file" - [ -n "$secure_chroot_dir" ] && write_conf "secure_chroot_dir" "$secure_chroot_dir" [ -n "$userlist_file" ] && write_conf "userlist_file" "$userlist_file" [ -n "$xferlog_file" ] && write_conf "xferlog_file" "$xferlog_file" + if [ -n "$secure_chroot_dir" ] && [ "$secure_chroot_dir" != "$DEFAULT_SECURE_CHROOT" ]; then + # remove the DEFAULT_SECURE_CHROOT directory + # it is not needed now + rm -rf "$DEFAULT_SECURE_CHROOT" + write_conf "secure_chroot_dir" "$secure_chroot_dir" + fi + # move temporary file to the main configuration file mv "$TEMP_OUTPUT_CONF" "$OUTPUT_CONF" } @@ -128,6 +136,11 @@ start_service() { return fi + # clean and create the default chroot directory + rm -rf "$DEFAULT_SECURE_CHROOT" + mkdir -m 0755 -p "$DEFAULT_SECURE_CHROOT" + chown root:root "$DEFAULT_SECURE_CHROOT" + config_get_bool conf_file global conf_file "" if [ -n "$conf_file" ]; then # use user defined conf file instead of UCI @@ -140,7 +153,7 @@ start_service() { procd_open_instance "vsftpd" config_get_bool mdns global mdns 0 - [ "${mdns}" -eq 1 ] && procd_add_mdns "ftp" "tcp" "$PORT" "daemon=$BIN" + [ "${mdns}" -eq 1 ] && procd_add_mdns "ftp" "tcp" "$PORT" "daemon=vsftpd" procd_set_param command "$BIN" "$OUTPUT_CONF" procd_set_param respawn diff --git a/net/vsftpd/files/vsftpd.uci b/net/vsftpd/files/vsftpd.uci index 1394742df188e4..e1affdf15f95b3 100644 --- a/net/vsftpd/files/vsftpd.uci +++ b/net/vsftpd/files/vsftpd.uci @@ -1,6 +1,4 @@ config global 'global' - option listen '1' - option write_enable '1' - option anonymous_enable '0' - option local_enable '1' + option disabled '0' option mdns '0' + option conf_file '/etc/vsftpd.conf' diff --git a/utils/mariadb/Makefile b/utils/mariadb/Makefile index 8b087fa7133905..fa24079f941eca 100644 --- a/utils/mariadb/Makefile +++ b/utils/mariadb/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mariadb -PKG_VERSION:=11.4.3 +PKG_VERSION:=11.4.4 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL := https://archive.mariadb.org/$(PKG_NAME)-$(PKG_VERSION)/source -PKG_HASH:=6f0017b9901bb1897de0eed21caef9ffa9d66ef559345a0d8a6f011308413ece +PKG_HASH:=96fbd2e6e93fb7e8b373eea75d85b6fea57c0e111a02090cbbefed52599dc77b PKG_MAINTAINER:=Michal Hrusecky PKG_LICENSE:=GPL-2.0-only PKG_LICENSE_FILES:=COPYING THIRDPARTY diff --git a/utils/mariadb/patches/170-ppc-remove-glibc-dep.patch b/utils/mariadb/patches/170-ppc-remove-glibc-dep.patch deleted file mode 100644 index 3ce75d5a56104d..00000000000000 --- a/utils/mariadb/patches/170-ppc-remove-glibc-dep.patch +++ /dev/null @@ -1,34 +0,0 @@ ---- a/include/my_cpu.h -+++ b/include/my_cpu.h -@@ -24,17 +24,16 @@ - */ - - #ifdef _ARCH_PWR8 --#include - /* Very low priority */ --#define HMT_very_low() __ppc_set_ppr_very_low() -+#define HMT_very_low() asm volatile("or 31,31,31") - /* Low priority */ --#define HMT_low() __ppc_set_ppr_low() -+#define HMT_low() asm volatile ("or 1,1,1") - /* Medium low priority */ --#define HMT_medium_low() __ppc_set_ppr_med_low() -+#define HMT_medium_low() asm volatile ("or 6,6,6") - /* Medium priority */ --#define HMT_medium() __ppc_set_ppr_med() -+#define HMT_medium() asm volatile ("or 2,2,2") - /* Medium high priority */ --#define HMT_medium_high() __ppc_set_ppr_med_high() -+#define HMT_medium_high() asm volatile("or 5,5,5") - /* High priority */ - #define HMT_high() asm volatile("or 3,3,3") - #else -@@ -81,7 +80,7 @@ static inline void MY_RELAX_CPU(void) - __asm__ __volatile__ ("pause"); - #endif - #elif defined(_ARCH_PWR8) -- __ppc_get_timebase(); -+ __builtin_ppc_get_timebase(); - #elif defined __GNUC__ && (defined __arm__ || defined __aarch64__) - /* Mainly, prevent the compiler from optimizing away delay loops */ - __asm__ __volatile__ ("":::"memory"); diff --git a/utils/mariadb/patches/210-no-altivec.patch b/utils/mariadb/patches/210-no-altivec.patch index 991bb265974ebf..a7aab8b3c12388 100644 --- a/utils/mariadb/patches/210-no-altivec.patch +++ b/utils/mariadb/patches/210-no-altivec.patch @@ -1,6 +1,6 @@ --- a/mysys/CMakeLists.txt +++ b/mysys/CMakeLists.txt -@@ -137,7 +137,7 @@ ELSEIF(CMAKE_SYSTEM_PROCESSOR MATCHES "a +@@ -138,7 +138,7 @@ ELSEIF(CMAKE_SYSTEM_PROCESSOR MATCHES "a ENDIF() ENDIF() diff --git a/utils/tree/Makefile b/utils/tree/Makefile index 1d3994ab19cbd6..6d60e6659f1af0 100644 --- a/utils/tree/Makefile +++ b/utils/tree/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tree -PKG_VERSION:=2.1.3 +PKG_VERSION:=2.2.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/Old-Man-Programmer/$(PKG_NAME)/tar.gz/$(PKG_VERSION)? -PKG_HASH:=3ffe2c8bb21194b088ad1e723f0cf340dd434453c5ff9af6a38e0d47e0c2723b +PKG_HASH:=5caddcbca805131ff590b126d3218019882e4ca10bc9eb490bba51c05b9b3b75 PKG_MAINTAINER:=Banglang Huang diff --git a/utils/yq/Makefile b/utils/yq/Makefile index a17dee3df7b8e6..46fdd3a365be43 100644 --- a/utils/yq/Makefile +++ b/utils/yq/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=yq -PKG_VERSION:=4.44.6 +PKG_VERSION:=4.45.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/mikefarah/yq/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c0acef928168e5fdb26cd7e8320eddde822f30cf1942817f3f6b854dd721653f +PKG_HASH:=074a21a002c32a1db3850064ad1fc420083d037951c8102adecfea6c5fd96427 PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=MIT